{ "SchemaVersion": 2, "Trivy": { "Version": "0.69.3" }, "ReportID": "019d57b3-474b-7f30-ac33-7186754a7050", "CreatedAt": "2026-04-04T08:54:20.23599688Z", "ArtifactName": "sboms/ai-containers-litellm-v1.80.15-stable-cyclonedx.json", "ArtifactType": "cyclonedx", "Metadata": { "OS": { "Family": "wolfi", "Name": "20230201" }, "ImageID": "sha256:1d02f62d956363b8238e106e6c38485a2b62c218f83e4a5708af475af71765ab", "DiffIDs": [ "sha256:0976d876f3faeca501cd9b84d36b662dcfea93d932d294f01c03cbc69b8d47e7", "sha256:1fee5809205cb8bb72f000e4f3450f72ec540d082261fae2d874afdf2cfb1af8", "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4", "sha256:378aa3f0436d513f1f7c7ea8dddbe2ce157fd4b75c9427172244d8619ce246c2", "sha256:4fb8934e770ecfc5d91c0432b2d639a2aeb2ed9fd0ef4f58b4702305b654c758", "sha256:4fd81d3e27fb5f938193746532827e1409d747a42c3c9c59d88bf9258f615650", "sha256:55321903843aeb946d2a3371a60a8dbfbea380e06fe34416516abe678de61bb4", "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef", "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef", "sha256:65f335e81c9b2e62fb2d29b601e9b3db900f4491a09cfe4b57699b7cda675eb0", "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141", "sha256:8bc05688cb135945874ed5a8f16af62b98d41e0c4fa15ec191669de121fa0353", "sha256:9cb5532c87b3cdf27d34ea7555cfe1336c5f363b775ec6234793477dfd0abf8b", "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85", "sha256:af1ea0e33c8e22c51b2e7d16e572107ea675110fb820a75d2193879e1702cd1b", "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a", "sha256:b8f4845f587dd2a37bc7c8a7281f57490c09f8d683f9d700d3a4a4acd224820b", "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983", "sha256:c77d0e99fd084dcb788aea914065660ca6a6a6f915d92a8d14cbb032cdcc4938", "sha256:d1a8ae7e4b6d8dd59eba17010a2b2751f9a59150c3c364c0deb6ed3984057827", "sha256:d4275a4eb643d92bd35660bc9f6e9b976f7eb01ab9910f36d58ca0d01e398561", "sha256:e0ac84d5d34b359db2b6ae71f8d474e5792b0ef90b4a259d84fd62a19559f2b0", "sha256:ea50c21069668e116baccfbe5cd12101830ce0ed545965e16a258aacb18a3f94", "sha256:f16a4cff816ff065507de0d9c3f1656540ccb51cce36de166212349c1ec60824", "sha256:fd811bda2b5ac0f57312dd79cf30280293175f761fcf7781f7c4f7feba8652e5" ], "RepoDigests": [ "registry.suse.com/ai/containers/litellm@sha256:d2f8177f64377d6bf70771298a38f4ab0504bb22495f6c839fea4240ebf84fff" ], "Reference": "registry.suse.com/ai/containers/litellm@sha256:d2f8177f64377d6bf70771298a38f4ab0504bb22495f6c839fea4240ebf84fff" }, "Results": [ { "Target": "sboms/ai-containers-litellm-v1.80.15-stable-cyclonedx.json (wolfi 20230201)", "Class": "os-pkgs", "Type": "wolfi", "Packages": [ { "ID": "apk-tools@2.14.10-r9", "Name": "apk-tools", "Identifier": { "PURL": "pkg:apk/wolfi/apk-tools@2.14.10-r9?arch=x86_64\u0026distro=20230201", "UID": "a5aba39466341a61", "BOMRef": "pkg:apk/wolfi/apk-tools@2.14.10-r9?arch=x86_64\u0026distro=20230201" }, "Version": "2.14.10-r9", "Arch": "x86_64", "SrcName": "apk-tools", "SrcVersion": "2.14.10-r9", "Licenses": [ "GPL-2.0-only" ], "DependsOn": [ "ca-certificates-bundle@20251003-r2", "glibc@2.42-r5", "ld-linux@2.42-r5", "libcrypto3@3.6.0-r6", "libssl3@3.6.0-r6", "wolfi-baselayout@20230201-r26", "zlib@1.3.1.2-r1" ], "Layer": { "Digest": "sha256:b4f21e0f00e5c93bbae54c108a70ed07720f1a322e1c0a0464cc4284424d5e02", "DiffID": "sha256:4fb8934e770ecfc5d91c0432b2d639a2aeb2ed9fd0ef4f58b4702305b654c758" }, "Digest": "sha1:544bcccf0361787d3c1c8c9bcde30a8ca4ed825b" }, { "ID": "bash@5.3-r3", "Name": "bash", "Identifier": { "PURL": "pkg:apk/wolfi/bash@5.3-r3?arch=x86_64\u0026distro=20230201", "UID": "c33c95153e507d60", "BOMRef": "pkg:apk/wolfi/bash@5.3-r3?arch=x86_64\u0026distro=20230201" }, "Version": "5.3-r3", "Arch": "x86_64", "SrcName": "bash", "SrcVersion": "5.3-r3", "Licenses": [ "GPL-3.0-or-later" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "ncurses@6.6_p20251230-r0", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:88eaaa18579ef0a9c03008a2808b28e8437ebbba" }, { "ID": "busybox@1.37.0-r50", "Name": "busybox", "Identifier": { "PURL": "pkg:apk/wolfi/busybox@1.37.0-r50?arch=x86_64\u0026distro=20230201", "UID": "82040e4342a217ff", "BOMRef": "pkg:apk/wolfi/busybox@1.37.0-r50?arch=x86_64\u0026distro=20230201" }, "Version": "1.37.0-r50", "Arch": "x86_64", "SrcName": "busybox", "SrcVersion": "1.37.0-r50", "Licenses": [ "GPL-2.0-only" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "libcrypt1@2.42-r5", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:b4e5d0df546ee1b4828576cb9efc6af7b122bbae9e85fdd5c6d08174eb3c6e76", "DiffID": "sha256:d1a8ae7e4b6d8dd59eba17010a2b2751f9a59150c3c364c0deb6ed3984057827" }, "Digest": "sha1:a3d3510e79613de088723486b597279251af8dbb" }, { "ID": "c-ares@1.34.6-r0", "Name": "c-ares", "Identifier": { "PURL": "pkg:apk/wolfi/c-ares@1.34.6-r0?arch=x86_64\u0026distro=20230201", "UID": "314ab48436c8fc1c", "BOMRef": "pkg:apk/wolfi/c-ares@1.34.6-r0?arch=x86_64\u0026distro=20230201" }, "Version": "1.34.6-r0", "Arch": "x86_64", "SrcName": "c-ares", "SrcVersion": "1.34.6-r0", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:72c82e5c25bfd691982cf508bfda988bad5ced12" }, { "ID": "ca-certificates-bundle@20251003-r2", "Name": "ca-certificates-bundle", "Identifier": { "PURL": "pkg:apk/wolfi/ca-certificates-bundle@20251003-r2?arch=x86_64\u0026distro=20230201", "UID": "656040179efc9a7b", "BOMRef": "pkg:apk/wolfi/ca-certificates-bundle@20251003-r2?arch=x86_64\u0026distro=20230201" }, "Version": "20251003-r2", "Arch": "x86_64", "SrcName": "ca-certificates", "SrcVersion": "20251003-r2", "Licenses": [ "MPL-2.0", "MIT" ], "DependsOn": [ "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:cfd7f31cd3d95158ed8290f9ef35b5a8388a535017c6359ba862b4a480750213", "DiffID": "sha256:d4275a4eb643d92bd35660bc9f6e9b976f7eb01ab9910f36d58ca0d01e398561" }, "Digest": "sha1:b81cabb1617c3e35345a5e356ffd4442172a04c8" }, { "ID": "gdbm@1.26-r1", "Name": "gdbm", "Identifier": { "PURL": "pkg:apk/wolfi/gdbm@1.26-r1?arch=x86_64\u0026distro=20230201", "UID": "bffe2bd04737c2f", "BOMRef": "pkg:apk/wolfi/gdbm@1.26-r1?arch=x86_64\u0026distro=20230201" }, "Version": "1.26-r1", "Arch": "x86_64", "SrcName": "gdbm", "SrcVersion": "1.26-r1", "Licenses": [ "GPL-3.0-or-later" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:2016cdd2efb00ee1a22895bb1315a59c20dd88e7" }, { "ID": "glibc@2.42-r5", "Name": "glibc", "Identifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "Version": "2.42-r5", "Arch": "x86_64", "SrcName": "glibc", "SrcVersion": "2.42-r5", "Licenses": [ "LGPL-2.1-or-later" ], "DependsOn": [ "glibc-locale-posix@2.42-r5", "ld-linux@2.42-r5", "libgcc@15.2.0-r6", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "Digest": "sha1:ad72e5c8d5d85c1aaf9f88d501ea698db830c1ea" }, { "ID": "glibc-locale-posix@2.42-r5", "Name": "glibc-locale-posix", "Identifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "Version": "2.42-r5", "Arch": "x86_64", "SrcName": "glibc", "SrcVersion": "2.42-r5", "Licenses": [ "LGPL-2.1-or-later" ], "DependsOn": [ "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "Digest": "sha1:25098f21a710c5ff7b7ef32d495b2f00018ff1db" }, { "ID": "icu78-data-full@78.2-r0", "Name": "icu78-data-full", "Identifier": { "PURL": "pkg:apk/wolfi/icu78-data-full@78.2-r0?arch=x86_64\u0026distro=20230201", "UID": "36e134aed1b9b37", "BOMRef": "pkg:apk/wolfi/icu78-data-full@78.2-r0?arch=x86_64\u0026distro=20230201" }, "Version": "78.2-r0", "Arch": "x86_64", "SrcName": "icu", "SrcVersion": "78.2-r0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:e615eeade973d33e6d30bca1bcb08383dec2c505" }, { "ID": "ld-linux@2.42-r5", "Name": "ld-linux", "Identifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "Version": "2.42-r5", "Arch": "x86_64", "SrcName": "glibc", "SrcVersion": "2.42-r5", "Licenses": [ "LGPL-2.1-or-later" ], "DependsOn": [ "glibc@2.42-r5", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "Digest": "sha1:731061320067096c3e6d03c24a5f31764d6752e5" }, { "ID": "libbrotlicommon1@1.2.0-r1", "Name": "libbrotlicommon1", "Identifier": { "PURL": "pkg:apk/wolfi/libbrotlicommon1@1.2.0-r1?arch=x86_64\u0026distro=20230201", "UID": "e98ea6f048db4ed5", "BOMRef": "pkg:apk/wolfi/libbrotlicommon1@1.2.0-r1?arch=x86_64\u0026distro=20230201" }, "Version": "1.2.0-r1", "Arch": "x86_64", "SrcName": "brotli", "SrcVersion": "1.2.0-r1", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:f16ef9c593de91cc6945073b4636aeeda0c80a0e" }, { "ID": "libbrotlidec1@1.2.0-r1", "Name": "libbrotlidec1", "Identifier": { "PURL": "pkg:apk/wolfi/libbrotlidec1@1.2.0-r1?arch=x86_64\u0026distro=20230201", "UID": "e25632bed2033c36", "BOMRef": "pkg:apk/wolfi/libbrotlidec1@1.2.0-r1?arch=x86_64\u0026distro=20230201" }, "Version": "1.2.0-r1", "Arch": "x86_64", "SrcName": "brotli", "SrcVersion": "1.2.0-r1", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5", "libbrotlicommon1@1.2.0-r1" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:b98182b5ebf03788a5dfd808af6e2d3eeb4ff13c" }, { "ID": "libbrotlienc1@1.2.0-r1", "Name": "libbrotlienc1", "Identifier": { "PURL": "pkg:apk/wolfi/libbrotlienc1@1.2.0-r1?arch=x86_64\u0026distro=20230201", "UID": "1ba85db8b2fc39c5", "BOMRef": "pkg:apk/wolfi/libbrotlienc1@1.2.0-r1?arch=x86_64\u0026distro=20230201" }, "Version": "1.2.0-r1", "Arch": "x86_64", "SrcName": "brotli", "SrcVersion": "1.2.0-r1", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5", "libbrotlicommon1@1.2.0-r1" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:da1a062cc901589428b8d8fc3daa83a23f8cb929" }, { "ID": "libbz2-1@1.0.8-r21", "Name": "libbz2-1", "Identifier": { "PURL": "pkg:apk/wolfi/libbz2-1@1.0.8-r21?arch=x86_64\u0026distro=20230201", "UID": "f1147cb66192ccce", "BOMRef": "pkg:apk/wolfi/libbz2-1@1.0.8-r21?arch=x86_64\u0026distro=20230201" }, "Version": "1.0.8-r21", "Arch": "x86_64", "SrcName": "bzip2", "SrcVersion": "1.0.8-r21", "Licenses": [ "MPL-2.0", "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:66773be08448bafe17560e56adc8fb0dbd106155" }, { "ID": "libcrypt1@2.42-r5", "Name": "libcrypt1", "Identifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "Version": "2.42-r5", "Arch": "x86_64", "SrcName": "glibc", "SrcVersion": "2.42-r5", "Licenses": [ "LGPL-2.1-or-later" ], "DependsOn": [ "glibc@2.42-r5", "libxcrypt@4.5.2-r0", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "Digest": "sha1:b259c95cdbbfa83aa3b2fb25ffdc52c5a48240ba" }, { "ID": "libcrypto3@3.6.0-r6", "Name": "libcrypto3", "Identifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "Version": "3.6.0-r6", "Arch": "x86_64", "SrcName": "openssl", "SrcVersion": "3.6.0-r6", "Licenses": [ "Apache-2.0" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "Digest": "sha1:e4390e290349c5139829a73749e2baa02adbd542" }, { "ID": "libexpat1@2.7.3-r0", "Name": "libexpat1", "Identifier": { "PURL": "pkg:apk/wolfi/libexpat1@2.7.3-r0?arch=x86_64\u0026distro=20230201", "UID": "3a76cb93100502eb", "BOMRef": "pkg:apk/wolfi/libexpat1@2.7.3-r0?arch=x86_64\u0026distro=20230201" }, "Version": "2.7.3-r0", "Arch": "x86_64", "SrcName": "expat", "SrcVersion": "2.7.3-r0", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:0131ef7cc94691ad46dd21e4b8bf0f3c3b8a3a9c" }, { "ID": "libffi@3.5.2-r1", "Name": "libffi", "Identifier": { "PURL": "pkg:apk/wolfi/libffi@3.5.2-r1?arch=x86_64\u0026distro=20230201", "UID": "a75a481342c91efd", "BOMRef": "pkg:apk/wolfi/libffi@3.5.2-r1?arch=x86_64\u0026distro=20230201" }, "Version": "3.5.2-r1", "Arch": "x86_64", "SrcName": "libffi", "SrcVersion": "3.5.2-r1", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:ce40e7d1f8951ac77983c4e263e2d7b04b194c17" }, { "ID": "libgcc@15.2.0-r6", "Name": "libgcc", "Identifier": { "PURL": "pkg:apk/wolfi/libgcc@15.2.0-r6?arch=x86_64\u0026distro=20230201", "UID": "797cb5b07dbdc9fd", "BOMRef": "pkg:apk/wolfi/libgcc@15.2.0-r6?arch=x86_64\u0026distro=20230201" }, "Version": "15.2.0-r6", "Arch": "x86_64", "SrcName": "gcc", "SrcVersion": "15.2.0-r6", "Licenses": [ "GPL-3.0-or-later WITH GCC-exception-3.1" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5" ], "Layer": { "Digest": "sha256:2df0b2a291e711f6a533d2eb9d2acbb793dc14c99c04769a055c02facc8c81bb", "DiffID": "sha256:9cb5532c87b3cdf27d34ea7555cfe1336c5f363b775ec6234793477dfd0abf8b" }, "Digest": "sha1:75538f9751fac17259e21e260f73cd4fb39c3134" }, { "ID": "libicu78@78.2-r0", "Name": "libicu78", "Identifier": { "PURL": "pkg:apk/wolfi/libicu78@78.2-r0?arch=x86_64\u0026distro=20230201", "UID": "d746912758f07d1", "BOMRef": "pkg:apk/wolfi/libicu78@78.2-r0?arch=x86_64\u0026distro=20230201" }, "Version": "78.2-r0", "Arch": "x86_64", "SrcName": "icu", "SrcVersion": "78.2-r0", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5", "icu78-data-full@78.2-r0", "ld-linux@2.42-r5", "libgcc@15.2.0-r6", "libstdc++@15.2.0-r6" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:7afb4e60da61c174faf3cde4b2919c67653c8630" }, { "ID": "libnghttp2-14@1.68.0-r0", "Name": "libnghttp2-14", "Identifier": { "PURL": "pkg:apk/wolfi/libnghttp2-14@1.68.0-r0?arch=x86_64\u0026distro=20230201", "UID": "e70aa72c2e36c3e2", "BOMRef": "pkg:apk/wolfi/libnghttp2-14@1.68.0-r0?arch=x86_64\u0026distro=20230201" }, "Version": "1.68.0-r0", "Arch": "x86_64", "SrcName": "nghttp2", "SrcVersion": "1.68.0-r0", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:2b726230371e9f50c966fa9f92ea28f52350082d" }, { "ID": "libssl3@3.6.0-r6", "Name": "libssl3", "Identifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "Version": "3.6.0-r6", "Arch": "x86_64", "SrcName": "openssl", "SrcVersion": "3.6.0-r6", "Licenses": [ "Apache-2.0" ], "DependsOn": [ "glibc@2.42-r5", "libcrypto3@3.6.0-r6" ], "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "Digest": "sha1:b234ef6c2b447d41498857c7cca47c8b6e2d655e" }, { "ID": "libstdc++@15.2.0-r6", "Name": "libstdc++", "Identifier": { "PURL": "pkg:apk/wolfi/libstdc%2B%2B@15.2.0-r6?arch=x86_64\u0026distro=20230201", "UID": "5edee1d0d175b91b", "BOMRef": "pkg:apk/wolfi/libstdc%2B%2B@15.2.0-r6?arch=x86_64\u0026distro=20230201" }, "Version": "15.2.0-r6", "Arch": "x86_64", "SrcName": "gcc", "SrcVersion": "15.2.0-r6", "Licenses": [ "GPL-3.0-or-later WITH GCC-exception-3.1" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "libgcc@15.2.0-r6" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:69384d004376a0e3c4c0ca7c0e48dd86b059ebce" }, { "ID": "libuuid@2.41.3-r0", "Name": "libuuid", "Identifier": { "PURL": "pkg:apk/wolfi/libuuid@2.41.3-r0?arch=x86_64\u0026distro=20230201", "UID": "b93854531c64bd50", "BOMRef": "pkg:apk/wolfi/libuuid@2.41.3-r0?arch=x86_64\u0026distro=20230201" }, "Version": "2.41.3-r0", "Arch": "x86_64", "SrcName": "util-linux", "SrcVersion": "2.41.3-r0", "Licenses": [ "GPL-3.0-or-later", "GPL-2.0-or-later", "GPL-2.0-only", "GPL-1.0-only", "LGPL-2.1-or-later", "BSD-1-Clause", "BSD-3-Clause", "BSD-4-Clause-UC", "MIT", "CC-PDDC" ], "DependsOn": [ "glibc@2.42-r5", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:8d5c209666f4389ddd512bff4dd5066592a0224b" }, { "ID": "libuv@1.51.0-r2", "Name": "libuv", "Identifier": { "PURL": "pkg:apk/wolfi/libuv@1.51.0-r2?arch=x86_64\u0026distro=20230201", "UID": "620a1a9b1d6ffa27", "BOMRef": "pkg:apk/wolfi/libuv@1.51.0-r2?arch=x86_64\u0026distro=20230201" }, "Version": "1.51.0-r2", "Arch": "x86_64", "SrcName": "libuv", "SrcVersion": "1.51.0-r2", "Licenses": [ "MIT", "ISC" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:ec5ccb3f0a6d22f1f9f09dd9920b35361fa11c3a" }, { "ID": "libxcrypt@4.5.2-r0", "Name": "libxcrypt", "Identifier": { "PURL": "pkg:apk/wolfi/libxcrypt@4.5.2-r0?arch=x86_64\u0026distro=20230201", "UID": "61cd8f24b106226e", "BOMRef": "pkg:apk/wolfi/libxcrypt@4.5.2-r0?arch=x86_64\u0026distro=20230201" }, "Version": "4.5.2-r0", "Arch": "x86_64", "SrcName": "libxcrypt", "SrcVersion": "4.5.2-r0", "Licenses": [ "GPL-2.0-or-later", "LGPL-2.1-or-later" ], "Layer": { "Digest": "sha256:1f4d10983e62ad2c98690f0bd9ae22ec0458fbcb25db95e81cfeb2db58f134c8", "DiffID": "sha256:c77d0e99fd084dcb788aea914065660ca6a6a6f915d92a8d14cbb032cdcc4938" }, "Digest": "sha1:9bf49e5d39117def3eb345c8d1ea0437a5e6b76f" }, { "ID": "mpdecimal@4.0.1-r3", "Name": "mpdecimal", "Identifier": { "PURL": "pkg:apk/wolfi/mpdecimal@4.0.1-r3?arch=x86_64\u0026distro=20230201", "UID": "1fdb88df206f6c7f", "BOMRef": "pkg:apk/wolfi/mpdecimal@4.0.1-r3?arch=x86_64\u0026distro=20230201" }, "Version": "4.0.1-r3", "Arch": "x86_64", "SrcName": "mpdecimal", "SrcVersion": "4.0.1-r3", "Licenses": [ "BSD-2-Clause" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "libgcc@15.2.0-r6", "libstdc++@15.2.0-r6" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:12885674e7ba1c71ee370a6876aedfd8c4f02ce4" }, { "ID": "ncurses@6.6_p20251230-r0", "Name": "ncurses", "Identifier": { "PURL": "pkg:apk/wolfi/ncurses@6.6_p20251230-r0?arch=x86_64\u0026distro=20230201", "UID": "a33ed0b101f075dd", "BOMRef": "pkg:apk/wolfi/ncurses@6.6_p20251230-r0?arch=x86_64\u0026distro=20230201" }, "Version": "6.6_p20251230-r0", "Arch": "x86_64", "SrcName": "ncurses", "SrcVersion": "6.6_p20251230-r0", "Licenses": [ "MIT" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "ncurses-terminfo-base@6.6_p20251230-r0" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:f3988a513185dce12ea3131aecf3c45366e24719" }, { "ID": "ncurses-terminfo-base@6.6_p20251230-r0", "Name": "ncurses-terminfo-base", "Identifier": { "PURL": "pkg:apk/wolfi/ncurses-terminfo-base@6.6_p20251230-r0?arch=x86_64\u0026distro=20230201", "UID": "76ad89d90800303b", "BOMRef": "pkg:apk/wolfi/ncurses-terminfo-base@6.6_p20251230-r0?arch=x86_64\u0026distro=20230201" }, "Version": "6.6_p20251230-r0", "Arch": "x86_64", "SrcName": "ncurses", "SrcVersion": "6.6_p20251230-r0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:91547558f6206740093f656bf1c0595b8a83684d" }, { "ID": "nodejs-25@25.3.0-r0", "Name": "nodejs-25", "Identifier": { "PURL": "pkg:apk/wolfi/nodejs-25@25.3.0-r0?arch=x86_64\u0026distro=20230201", "UID": "87548b2ae10b7a36", "BOMRef": "pkg:apk/wolfi/nodejs-25@25.3.0-r0?arch=x86_64\u0026distro=20230201" }, "Version": "25.3.0-r0", "Arch": "x86_64", "SrcName": "nodejs-25", "SrcVersion": "25.3.0-r0", "Licenses": [ "MIT" ], "DependsOn": [ "c-ares@1.34.6-r0", "glibc@2.42-r5", "ld-linux@2.42-r5", "libbrotlidec1@1.2.0-r1", "libbrotlienc1@1.2.0-r1", "libcrypto3@3.6.0-r6", "libgcc@15.2.0-r6", "libicu78@78.2-r0", "libnghttp2-14@1.68.0-r0", "libssl3@3.6.0-r6", "libstdc++@15.2.0-r6", "libuv@1.51.0-r2", "zlib@1.3.1.2-r1" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:17bc3385758145be639456e0de315bd01655b99d" }, { "ID": "npm@11.7.0-r0", "Name": "npm", "Identifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "Version": "11.7.0-r0", "Arch": "x86_64", "SrcName": "npm", "SrcVersion": "11.7.0-r0", "Licenses": [ "Artistic-2.0" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:2fb8170a51fb6651fe096b0c5628226fd698bdfc" }, { "ID": "openssl@3.6.0-r6", "Name": "openssl", "Identifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "Version": "3.6.0-r6", "Arch": "x86_64", "SrcName": "openssl", "SrcVersion": "3.6.0-r6", "Licenses": [ "Apache-2.0" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5", "libcrypto3@3.6.0-r6", "libssl3@3.6.0-r6" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:9f2760a3256636f68e00f73b8032b20f05b60bf6" }, { "ID": "py3-pip-wheel@25.3-r3", "Name": "py3-pip-wheel", "Identifier": { "PURL": "pkg:apk/wolfi/py3-pip-wheel@25.3-r3?arch=x86_64\u0026distro=20230201", "UID": "2e0238c532fbd843", "BOMRef": "pkg:apk/wolfi/py3-pip-wheel@25.3-r3?arch=x86_64\u0026distro=20230201" }, "Version": "25.3-r3", "Arch": "x86_64", "SrcName": "py3-pip", "SrcVersion": "25.3-r3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:ff71f020e00b586917dd5d8367e83a96f98be287" }, { "ID": "py3.13-pip@25.3-r3", "Name": "py3.13-pip", "Identifier": { "PURL": "pkg:apk/wolfi/py3.13-pip@25.3-r3?arch=x86_64\u0026distro=20230201", "UID": "a17c3c043e6a4b67", "BOMRef": "pkg:apk/wolfi/py3.13-pip@25.3-r3?arch=x86_64\u0026distro=20230201" }, "Version": "25.3-r3", "Arch": "x86_64", "SrcName": "py3-pip", "SrcVersion": "25.3-r3", "Licenses": [ "MIT" ], "DependsOn": [ "py3.13-pip-base@25.3-r3", "python-3.13-base@3.13.11-r2" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:11336a55a6f2932bd4f43d630fca7e7de3daf338" }, { "ID": "py3.13-pip-base@25.3-r3", "Name": "py3.13-pip-base", "Identifier": { "PURL": "pkg:apk/wolfi/py3.13-pip-base@25.3-r3?arch=x86_64\u0026distro=20230201", "UID": "ffe8fae134e727d9", "BOMRef": "pkg:apk/wolfi/py3.13-pip-base@25.3-r3?arch=x86_64\u0026distro=20230201" }, "Version": "25.3-r3", "Arch": "x86_64", "SrcName": "py3-pip", "SrcVersion": "25.3-r3", "Licenses": [ "MIT" ], "DependsOn": [ "py3.13-setuptools@80.9.0-r4", "python-3.13-base@3.13.11-r2" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:a496a9e39146888e16e71accf80e35f37a236ad0" }, { "ID": "py3.13-setuptools@80.9.0-r4", "Name": "py3.13-setuptools", "Identifier": { "PURL": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201", "UID": "7671f43b0dd5e463", "BOMRef": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201" }, "Version": "80.9.0-r4", "Arch": "x86_64", "SrcName": "py3-setuptools", "SrcVersion": "80.9.0-r4", "Licenses": [ "MIT" ], "DependsOn": [ "python-3.13-base@3.13.11-r2" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:5a6b9b55dfb7ed4b816754281bb7da777fa14462" }, { "ID": "python-3.13@3.13.11-r2", "Name": "python-3.13", "Identifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "Version": "3.13.11-r2", "Arch": "x86_64", "SrcName": "python-3.13", "SrcVersion": "3.13.11-r2", "Licenses": [ "PSF-2.0" ], "DependsOn": [ "python-3.13-base@3.13.11-r2" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:3efce8a6f8142642c67f8e43acc35081add4b522" }, { "ID": "python-3.13-base@3.13.11-r2", "Name": "python-3.13-base", "Identifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "Version": "3.13.11-r2", "Arch": "x86_64", "SrcName": "python-3.13", "SrcVersion": "3.13.11-r2", "Licenses": [ "PSF-2.0" ], "DependsOn": [ "gdbm@1.26-r1", "glibc@2.42-r5", "ld-linux@2.42-r5", "libbz2-1@1.0.8-r21", "libcrypto3@3.6.0-r6", "libexpat1@2.7.3-r0", "libffi@3.5.2-r1", "libssl3@3.6.0-r6", "libuuid@2.41.3-r0", "mpdecimal@4.0.1-r3", "ncurses@6.6_p20251230-r0", "py3-pip-wheel@25.3-r3", "readline@8.3-r1", "sqlite-libs@3.51.1-r0", "xz@5.8.2-r0", "zlib@1.3.1.2-r1" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:0c90cac95f4b596391d69fe4426af66c0dce4224" }, { "ID": "readline@8.3-r1", "Name": "readline", "Identifier": { "PURL": "pkg:apk/wolfi/readline@8.3-r1?arch=x86_64\u0026distro=20230201", "UID": "88dc185e6c657a92", "BOMRef": "pkg:apk/wolfi/readline@8.3-r1?arch=x86_64\u0026distro=20230201" }, "Version": "8.3-r1", "Arch": "x86_64", "SrcName": "readline", "SrcVersion": "8.3-r1", "Licenses": [ "GPL-3.0-or-later" ], "DependsOn": [ "glibc@2.42-r5", "ncurses@6.6_p20251230-r0" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:bcbe178d5b1edd94ce7b1cb8465e1cda8964a3db" }, { "ID": "sqlite-libs@3.51.1-r0", "Name": "sqlite-libs", "Identifier": { "PURL": "pkg:apk/wolfi/sqlite-libs@3.51.1-r0?arch=x86_64\u0026distro=20230201", "UID": "f34b90e94fb63e29", "BOMRef": "pkg:apk/wolfi/sqlite-libs@3.51.1-r0?arch=x86_64\u0026distro=20230201" }, "Version": "3.51.1-r0", "Arch": "x86_64", "SrcName": "sqlite", "SrcVersion": "3.51.1-r0", "Licenses": [ "blessing" ], "DependsOn": [ "glibc@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:d0361a0bc6717f9262dbf71e350da24cd1987755" }, { "ID": "supervisor@4.3.0-r0", "Name": "supervisor", "Identifier": { "PURL": "pkg:apk/wolfi/supervisor@4.3.0-r0?arch=x86_64\u0026distro=20230201", "UID": "a1efe62762a65351", "BOMRef": "pkg:apk/wolfi/supervisor@4.3.0-r0?arch=x86_64\u0026distro=20230201" }, "Version": "4.3.0-r0", "Arch": "x86_64", "SrcName": "supervisor", "SrcVersion": "4.3.0-r0", "Licenses": [ "BSD-3-Clause" ], "DependsOn": [ "py3.13-setuptools@80.9.0-r4", "python-3.13-base@3.13.11-r2", "supervisor-config@4.3.0-r0" ], "Layer": { "Digest": "sha256:c12bc7cb82323084be1e43e0a04f18cc3643991e204bfc4da1ec933a98f80aa1", "DiffID": "sha256:4fd81d3e27fb5f938193746532827e1409d747a42c3c9c59d88bf9258f615650" }, "Digest": "sha1:6daf57e1bd2a466563021c6c1d2b726d4f32a659" }, { "ID": "supervisor-config@4.3.0-r0", "Name": "supervisor-config", "Identifier": { "PURL": "pkg:apk/wolfi/supervisor-config@4.3.0-r0?arch=x86_64\u0026distro=20230201", "UID": "ea4a602b9cd12a7e", "BOMRef": "pkg:apk/wolfi/supervisor-config@4.3.0-r0?arch=x86_64\u0026distro=20230201" }, "Version": "4.3.0-r0", "Arch": "x86_64", "SrcName": "supervisor", "SrcVersion": "4.3.0-r0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c12bc7cb82323084be1e43e0a04f18cc3643991e204bfc4da1ec933a98f80aa1", "DiffID": "sha256:4fd81d3e27fb5f938193746532827e1409d747a42c3c9c59d88bf9258f615650" }, "Digest": "sha1:9dc25d852bd533a57c94bba2e0649a696c81efae" }, { "ID": "tzdata@2025c-r0", "Name": "tzdata", "Identifier": { "PURL": "pkg:apk/wolfi/tzdata@2025c-r0?arch=x86_64\u0026distro=20230201", "UID": "e6409584529cc3db", "BOMRef": "pkg:apk/wolfi/tzdata@2025c-r0?arch=x86_64\u0026distro=20230201" }, "Version": "2025c-r0", "Arch": "x86_64", "SrcName": "tzdata", "SrcVersion": "2025c-r0", "Licenses": [ "CC-PDDC" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:2c137e3cd0482cb748f0d5ab1c1907bd2a03598a" }, { "ID": "wolfi-base@1-r7", "Name": "wolfi-base", "Identifier": { "PURL": "pkg:apk/wolfi/wolfi-base@1-r7?arch=x86_64\u0026distro=20230201", "UID": "ad67c82f592d7c72", "BOMRef": "pkg:apk/wolfi/wolfi-base@1-r7?arch=x86_64\u0026distro=20230201" }, "Version": "1-r7", "Arch": "x86_64", "SrcName": "wolfi-base", "SrcVersion": "1-r7", "Licenses": [ "MIT" ], "DependsOn": [ "apk-tools@2.14.10-r9", "busybox@1.37.0-r50", "wolfi-keys@1-r12" ], "Layer": { "Digest": "sha256:ffa8141ea1304488d30186ab34fef5f95cd8231566e2570c2f785278256cdd74", "DiffID": "sha256:0976d876f3faeca501cd9b84d36b662dcfea93d932d294f01c03cbc69b8d47e7" }, "Digest": "sha1:e82b5ced3be890350f3a2fb44e41c27929abca1d" }, { "ID": "wolfi-baselayout@20230201-r26", "Name": "wolfi-baselayout", "Identifier": { "PURL": "pkg:apk/wolfi/wolfi-baselayout@20230201-r26?arch=x86_64\u0026distro=20230201", "UID": "a407b82cb6ab99aa", "BOMRef": "pkg:apk/wolfi/wolfi-baselayout@20230201-r26?arch=x86_64\u0026distro=20230201" }, "Version": "20230201-r26", "Arch": "x86_64", "SrcName": "wolfi-baselayout", "SrcVersion": "20230201-r26", "Licenses": [ "MIT" ], "DependsOn": [ "ca-certificates-bundle@20251003-r2" ], "Layer": { "Digest": "sha256:f8f83eb22e81bcfcbd43c5409aeaa6ef92528c8b8f28091c2563e47c2f98be5b", "DiffID": "sha256:af1ea0e33c8e22c51b2e7d16e572107ea675110fb820a75d2193879e1702cd1b" }, "Digest": "sha1:4a6f36a82aefeab384c62e957de1ed325bf28b78" }, { "ID": "wolfi-keys@1-r12", "Name": "wolfi-keys", "Identifier": { "PURL": "pkg:apk/wolfi/wolfi-keys@1-r12?arch=x86_64\u0026distro=20230201", "UID": "f7e5cae8a2b8c28", "BOMRef": "pkg:apk/wolfi/wolfi-keys@1-r12?arch=x86_64\u0026distro=20230201" }, "Version": "1-r12", "Arch": "x86_64", "SrcName": "wolfi-keys", "SrcVersion": "1-r12", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:ffa8141ea1304488d30186ab34fef5f95cd8231566e2570c2f785278256cdd74", "DiffID": "sha256:0976d876f3faeca501cd9b84d36b662dcfea93d932d294f01c03cbc69b8d47e7" }, "Digest": "sha1:c4d03f9ec0c9e4c411afc8a40f0bab26f70658db" }, { "ID": "xz@5.8.2-r0", "Name": "xz", "Identifier": { "PURL": "pkg:apk/wolfi/xz@5.8.2-r0?arch=x86_64\u0026distro=20230201", "UID": "4818cfcc49d51f2f", "BOMRef": "pkg:apk/wolfi/xz@5.8.2-r0?arch=x86_64\u0026distro=20230201" }, "Version": "5.8.2-r0", "Arch": "x86_64", "SrcName": "xz", "SrcVersion": "5.8.2-r0", "Licenses": [ "GPL-3.0-or-later" ], "DependsOn": [ "glibc@2.42-r5", "ld-linux@2.42-r5" ], "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "Digest": "sha1:a123de3bc1fbf5c75138df83c9dc76d292de70d5" }, { "ID": "zlib@1.3.1.2-r1", "Name": "zlib", "Identifier": { "PURL": "pkg:apk/wolfi/zlib@1.3.1.2-r1?arch=x86_64\u0026distro=20230201", "UID": "d9c9357d2b1de8c9", "BOMRef": "pkg:apk/wolfi/zlib@1.3.1.2-r1?arch=x86_64\u0026distro=20230201" }, "Version": "1.3.1.2-r1", "Arch": "x86_64", "SrcName": "zlib", "SrcVersion": "1.3.1.2-r1", "Licenses": [ "MPL-2.0", "MIT" ], "DependsOn": [ "glibc@2.42-r5", "wolfi-baselayout@20230201-r26" ], "Layer": { "Digest": "sha256:7c9a487ed6faf9893d87deeb23f0fe3f2b7f1b8a3121a18dd72584e427c066be", "DiffID": "sha256:1fee5809205cb8bb72f000e4f3450f72ec540d082261fae2d874afdf2cfb1af8" }, "Digest": "sha1:d32193f7763b615642802124a49d58e67d25bdfa" } ], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2025-60876", "PkgID": "busybox@1.37.0-r50", "PkgName": "busybox", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/busybox@1.37.0-r50?arch=x86_64\u0026distro=20230201", "UID": "82040e4342a217ff", "BOMRef": "pkg:apk/wolfi/busybox@1.37.0-r50?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "1.37.0-r50", "FixedVersion": "1.37.0-r52", "Status": "fixed", "Layer": { "Digest": "sha256:b4e5d0df546ee1b4828576cb9efc6af7b122bbae9e85fdd5c6d08174eb3c6e76", "DiffID": "sha256:d1a8ae7e4b6d8dd59eba17010a2b2751f9a59150c3c364c0deb6ed3984057827" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-60876", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:53d5fbebfa3b44fa26ae29ede531554670398b2c6e1eec57b2a281d12c52fa5a", "Title": "busybox: BusyBox wget: HTTP request-target allows header injection", "Description": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).", "Severity": "MEDIUM", "CweIDs": [ "CWE-284" ], "VendorSeverity": { "redhat": 1, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "V3Score": 5.4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-60876", "https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092", "https://lists.busybox.net/pipermail/busybox/2025-November/091817.html", "https://lists.busybox.net/pipermail/busybox/2025-November/091818.html", "https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm", "https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm", "https://nvd.nist.gov/vuln/detail/CVE-2025-60876", "https://www.cve.org/CVERecord?id=CVE-2025-60876" ], "PublishedDate": "2025-11-10T20:15:48.683Z", "LastModifiedDate": "2025-12-31T18:29:41.55Z" }, { "VulnerabilityID": "CVE-2026-0861", "PkgID": "glibc@2.42-r5", "PkgName": "glibc", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0861", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:adef36f59cf548c0b021e7e534ff76c0a74afbe741a55aea557b92005091c910", "Title": "glibc: Integer overflow in memalign leads to heap corruption", "Description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "Severity": "HIGH", "CweIDs": [ "CWE-190" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 8.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/5", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0861", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0861.html", "https://linux.oracle.com/errata/ELSA-2026-50120.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0861", "https://sourceware.org/bugzilla/show_bug.cgi?id=33796", "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0861" ], "PublishedDate": "2026-01-14T21:15:52.617Z", "LastModifiedDate": "2026-02-03T18:26:25.39Z" }, { "VulnerabilityID": "CVE-2025-15281", "PkgID": "glibc@2.42-r5", "PkgName": "glibc", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r7", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15281", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6ee8c7cb4ff6c594ca63017c3644374da83912b11c5a3245b9ed7009cea392d6", "Title": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory", "Description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/20/3", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2025-15281", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2025-15281.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15281", "https://sourceware.org/bugzilla/show_bug.cgi?id=33814", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2025-15281", "https://www.openwall.com/lists/oss-security/2026/01/20/3" ], "PublishedDate": "2026-01-20T14:16:07.843Z", "LastModifiedDate": "2026-02-05T17:43:18.63Z" }, { "VulnerabilityID": "CVE-2026-0915", "PkgID": "glibc@2.42-r5", "PkgName": "glibc", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0915", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:829cd2e43b77245ec5f8d4d482a82946a7fe91827532e274e5d716e5c732700e", "Title": "glibc: glibc: Information disclosure via zero-valued network query", "Description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 1, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 5.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/6", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0915", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0915.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0915", "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0915", "https://www.openwall.com/lists/oss-security/2026/01/16/6" ], "PublishedDate": "2026-01-15T22:16:12.457Z", "LastModifiedDate": "2026-01-23T19:36:50.73Z" }, { "VulnerabilityID": "CVE-2026-4437", "PkgID": "glibc@2.42-r5", "PkgName": "glibc", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4437", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:baeaa8a5dc6351b6b2fde94a04c2920b8fbe2a0be4c011eb0391b86208a75ca3", "Title": "glibc: glibc: Incorrect DNS response parsing via crafted DNS server response", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.", "Severity": "MEDIUM", "CweIDs": [ "CWE-125" ], "VendorSeverity": { "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4437", "https://nvd.nist.gov/vuln/detail/CVE-2026-4437", "https://sourceware.org/bugzilla/show_bug.cgi?id=34014", "https://www.cve.org/CVERecord?id=CVE-2026-4437" ], "PublishedDate": "2026-03-20T20:16:49.477Z", "LastModifiedDate": "2026-03-23T16:16:51.537Z" }, { "VulnerabilityID": "CVE-2026-4438", "PkgID": "glibc@2.42-r5", "PkgName": "glibc", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "4b71d770af724fbb", "BOMRef": "pkg:apk/wolfi/glibc@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4438", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:69d80e27085b875b257b2e6184f7afa04e6cc570e57a050b6ba391e0082b9751", "Title": "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-88" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4438", "https://nvd.nist.gov/vuln/detail/CVE-2026-4438", "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", "https://www.cve.org/CVERecord?id=CVE-2026-4438" ], "PublishedDate": "2026-03-20T20:16:49.623Z", "LastModifiedDate": "2026-03-23T15:16:35.68Z" }, { "VulnerabilityID": "CVE-2026-0861", "PkgID": "glibc-locale-posix@2.42-r5", "PkgName": "glibc-locale-posix", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0861", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:c24915c31e7a092c14c4fcc53f4b0e3a0e376f85d3764929ae00e1c40fc39faa", "Title": "glibc: Integer overflow in memalign leads to heap corruption", "Description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "Severity": "HIGH", "CweIDs": [ "CWE-190" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 8.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/5", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0861", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0861.html", "https://linux.oracle.com/errata/ELSA-2026-50120.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0861", "https://sourceware.org/bugzilla/show_bug.cgi?id=33796", "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0861" ], "PublishedDate": "2026-01-14T21:15:52.617Z", "LastModifiedDate": "2026-02-03T18:26:25.39Z" }, { "VulnerabilityID": "CVE-2025-15281", "PkgID": "glibc-locale-posix@2.42-r5", "PkgName": "glibc-locale-posix", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r7", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15281", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:15129a3e929aae17add7a15ae43f47e20e0b104442dfa3b3ca866d300b61d699", "Title": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory", "Description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/20/3", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2025-15281", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2025-15281.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15281", "https://sourceware.org/bugzilla/show_bug.cgi?id=33814", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2025-15281", "https://www.openwall.com/lists/oss-security/2026/01/20/3" ], "PublishedDate": "2026-01-20T14:16:07.843Z", "LastModifiedDate": "2026-02-05T17:43:18.63Z" }, { "VulnerabilityID": "CVE-2026-0915", "PkgID": "glibc-locale-posix@2.42-r5", "PkgName": "glibc-locale-posix", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0915", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:de28957a397c2384cce6f28ac9d9c1d37507a805eda7cc2841b356d5905bfc8b", "Title": "glibc: glibc: Information disclosure via zero-valued network query", "Description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 1, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 5.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/6", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0915", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0915.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0915", "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0915", "https://www.openwall.com/lists/oss-security/2026/01/16/6" ], "PublishedDate": "2026-01-15T22:16:12.457Z", "LastModifiedDate": "2026-01-23T19:36:50.73Z" }, { "VulnerabilityID": "CVE-2026-4437", "PkgID": "glibc-locale-posix@2.42-r5", "PkgName": "glibc-locale-posix", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4437", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:17b7676c86cf45a87dce2ba5e320c95c98d5487ea354c709e2c8772b5486ee89", "Title": "glibc: glibc: Incorrect DNS response parsing via crafted DNS server response", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.", "Severity": "MEDIUM", "CweIDs": [ "CWE-125" ], "VendorSeverity": { "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4437", "https://nvd.nist.gov/vuln/detail/CVE-2026-4437", "https://sourceware.org/bugzilla/show_bug.cgi?id=34014", "https://www.cve.org/CVERecord?id=CVE-2026-4437" ], "PublishedDate": "2026-03-20T20:16:49.477Z", "LastModifiedDate": "2026-03-23T16:16:51.537Z" }, { "VulnerabilityID": "CVE-2026-4438", "PkgID": "glibc-locale-posix@2.42-r5", "PkgName": "glibc-locale-posix", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "b92650e5adfce405", "BOMRef": "pkg:apk/wolfi/glibc-locale-posix@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4438", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:867b2b21bde8fe3430d49e33e1045ffe411aec415f9895537bc5fff03d1df1bc", "Title": "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-88" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4438", "https://nvd.nist.gov/vuln/detail/CVE-2026-4438", "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", "https://www.cve.org/CVERecord?id=CVE-2026-4438" ], "PublishedDate": "2026-03-20T20:16:49.623Z", "LastModifiedDate": "2026-03-23T15:16:35.68Z" }, { "VulnerabilityID": "CVE-2026-0861", "PkgID": "ld-linux@2.42-r5", "PkgName": "ld-linux", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0861", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:4172b97f73b9fe9e8cd1eee0a468314c93bb7e91cffa48aba9ea7f0bebc1cec4", "Title": "glibc: Integer overflow in memalign leads to heap corruption", "Description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "Severity": "HIGH", "CweIDs": [ "CWE-190" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 8.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/5", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0861", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0861.html", "https://linux.oracle.com/errata/ELSA-2026-50120.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0861", "https://sourceware.org/bugzilla/show_bug.cgi?id=33796", "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0861" ], "PublishedDate": "2026-01-14T21:15:52.617Z", "LastModifiedDate": "2026-02-03T18:26:25.39Z" }, { "VulnerabilityID": "CVE-2025-15281", "PkgID": "ld-linux@2.42-r5", "PkgName": "ld-linux", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r7", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15281", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:20ef3b4b4e96328a0e411199edcc5420d82a12ab273c8d66839185201f7dab65", "Title": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory", "Description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/20/3", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2025-15281", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2025-15281.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15281", "https://sourceware.org/bugzilla/show_bug.cgi?id=33814", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2025-15281", "https://www.openwall.com/lists/oss-security/2026/01/20/3" ], "PublishedDate": "2026-01-20T14:16:07.843Z", "LastModifiedDate": "2026-02-05T17:43:18.63Z" }, { "VulnerabilityID": "CVE-2026-0915", "PkgID": "ld-linux@2.42-r5", "PkgName": "ld-linux", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0915", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6a141f34f19e528e604954cc133828680574c4dc1c8e52564a0b5419a172e992", "Title": "glibc: glibc: Information disclosure via zero-valued network query", "Description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 1, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 5.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/6", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0915", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0915.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0915", "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0915", "https://www.openwall.com/lists/oss-security/2026/01/16/6" ], "PublishedDate": "2026-01-15T22:16:12.457Z", "LastModifiedDate": "2026-01-23T19:36:50.73Z" }, { "VulnerabilityID": "CVE-2026-4437", "PkgID": "ld-linux@2.42-r5", "PkgName": "ld-linux", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4437", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:e8d9a831ae835ca7472dc6630bd96ec50355e1be160087a6251897197bd998ec", "Title": "glibc: glibc: Incorrect DNS response parsing via crafted DNS server response", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.", "Severity": "MEDIUM", "CweIDs": [ "CWE-125" ], "VendorSeverity": { "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4437", "https://nvd.nist.gov/vuln/detail/CVE-2026-4437", "https://sourceware.org/bugzilla/show_bug.cgi?id=34014", "https://www.cve.org/CVERecord?id=CVE-2026-4437" ], "PublishedDate": "2026-03-20T20:16:49.477Z", "LastModifiedDate": "2026-03-23T16:16:51.537Z" }, { "VulnerabilityID": "CVE-2026-4438", "PkgID": "ld-linux@2.42-r5", "PkgName": "ld-linux", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "69f4caeb09629c13", "BOMRef": "pkg:apk/wolfi/ld-linux@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4438", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:a4db276067152e7dd95a1966925e9fbb78128bfc4d22529be0a729890762e749", "Title": "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-88" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4438", "https://nvd.nist.gov/vuln/detail/CVE-2026-4438", "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", "https://www.cve.org/CVERecord?id=CVE-2026-4438" ], "PublishedDate": "2026-03-20T20:16:49.623Z", "LastModifiedDate": "2026-03-23T15:16:35.68Z" }, { "VulnerabilityID": "CVE-2026-0861", "PkgID": "libcrypt1@2.42-r5", "PkgName": "libcrypt1", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0861", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:fc7fe899a12a6176b7f9bc61e043734d34ae1c4b6353c0dc12b8614886d3d9d0", "Title": "glibc: Integer overflow in memalign leads to heap corruption", "Description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "Severity": "HIGH", "CweIDs": [ "CWE-190" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 8.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/5", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0861", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0861.html", "https://linux.oracle.com/errata/ELSA-2026-50120.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0861", "https://sourceware.org/bugzilla/show_bug.cgi?id=33796", "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0861" ], "PublishedDate": "2026-01-14T21:15:52.617Z", "LastModifiedDate": "2026-02-03T18:26:25.39Z" }, { "VulnerabilityID": "CVE-2025-15281", "PkgID": "libcrypt1@2.42-r5", "PkgName": "libcrypt1", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r7", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15281", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:683e2b26f8125cf8f6aea4dbfb401241cc82e3c289c16538772a7f7271077d2f", "Title": "glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory", "Description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 2, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 1, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/20/3", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2025-15281", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2025-15281.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15281", "https://sourceware.org/bugzilla/show_bug.cgi?id=33814", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2025-15281", "https://www.openwall.com/lists/oss-security/2026/01/20/3" ], "PublishedDate": "2026-01-20T14:16:07.843Z", "LastModifiedDate": "2026-02-05T17:43:18.63Z" }, { "VulnerabilityID": "CVE-2026-0915", "PkgID": "libcrypt1@2.42-r5", "PkgName": "libcrypt1", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.42-r6", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0915", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:34af972bccfe26c407e24ae8e54bf036486336ed571ce6114d57b0e27846a23a", "Title": "glibc: glibc: Information disclosure via zero-valued network query", "Description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "alma": 2, "azure": 1, "cbl-mariner": 2, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 5.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/16/6", "https://access.redhat.com/errata/RHSA-2026:2786", "https://access.redhat.com/security/cve/CVE-2026-0915", "https://bugzilla.redhat.com/2429771", "https://bugzilla.redhat.com/2430201", "https://bugzilla.redhat.com/2431196", "https://bugzilla.redhat.com/show_bug.cgi?id=2429771", "https://bugzilla.redhat.com/show_bug.cgi?id=2430201", "https://bugzilla.redhat.com/show_bug.cgi?id=2431196", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15281", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0861", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0915", "https://errata.almalinux.org/9/ALSA-2026-2786.html", "https://errata.rockylinux.org/RLSA-2026:2786", "https://linux.oracle.com/cve/CVE-2026-0915.html", "https://linux.oracle.com/errata/ELSA-2026-50174.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0915", "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "https://ubuntu.com/security/notices/USN-8005-1", "https://www.cve.org/CVERecord?id=CVE-2026-0915", "https://www.openwall.com/lists/oss-security/2026/01/16/6" ], "PublishedDate": "2026-01-15T22:16:12.457Z", "LastModifiedDate": "2026-01-23T19:36:50.73Z" }, { "VulnerabilityID": "CVE-2026-4437", "PkgID": "libcrypt1@2.42-r5", "PkgName": "libcrypt1", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4437", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:bcfa9b8e131510337c86ad237e5755a3c478548b8397a1c9e3e4cbdf2c2b2bf8", "Title": "glibc: glibc: Incorrect DNS response parsing via crafted DNS server response", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.", "Severity": "MEDIUM", "CweIDs": [ "CWE-125" ], "VendorSeverity": { "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4437", "https://nvd.nist.gov/vuln/detail/CVE-2026-4437", "https://sourceware.org/bugzilla/show_bug.cgi?id=34014", "https://www.cve.org/CVERecord?id=CVE-2026-4437" ], "PublishedDate": "2026-03-20T20:16:49.477Z", "LastModifiedDate": "2026-03-23T16:16:51.537Z" }, { "VulnerabilityID": "CVE-2026-4438", "PkgID": "libcrypt1@2.42-r5", "PkgName": "libcrypt1", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201", "UID": "21603e3491ac8d3e", "BOMRef": "pkg:apk/wolfi/libcrypt1@2.42-r5?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "2.42-r5", "FixedVersion": "2.43-r4", "Status": "fixed", "Layer": { "Digest": "sha256:ef414417342bb076d349529ea133626ec839c421b6eff9040115de8fef46c277", "DiffID": "sha256:c37f47a79b8fe67a79e0f93e47e666a118bb0637e6a3dae82b8c27473fd16983" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4438", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:677651339e22a4c1af1957ef4c89e4a0d631f0e402341fea37427c289b870852", "Title": "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions", "Description": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-88" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4438", "https://nvd.nist.gov/vuln/detail/CVE-2026-4438", "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", "https://www.cve.org/CVERecord?id=CVE-2026-4438" ], "PublishedDate": "2026-03-20T20:16:49.623Z", "LastModifiedDate": "2026-03-23T15:16:35.68Z" }, { "VulnerabilityID": "CVE-2025-15467", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15467", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:e1055f9198772be324415406935f03c4bbf8ff9ad78f0c49fdc1e0b9ea63ba93", "Title": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing", "Description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with\nmaliciously crafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "CRITICAL", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 4, "oracle-oval": 3, "photon": 3, "redhat": 3, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/27/10", "http://www.openwall.com/lists/oss-security/2026/02/25/6", "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15467", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/guiimoraes/CVE-2025-15467", "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703", "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9", "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3", "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e", "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc", "https://linux.oracle.com/cve/CVE-2025-15467.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15467", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15467" ], "PublishedDate": "2026-01-27T16:16:14.257Z", "LastModifiedDate": "2026-03-19T19:16:19.23Z" }, { "VulnerabilityID": "CVE-2025-69419", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69419", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:8ebf962a64f9d783b33a871918fdaa9757f4cb6920123e66dc965aa7ac71397c", "Title": "openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing", "Description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 2, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 7.4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4472", "https://access.redhat.com/security/cve/CVE-2025-69419", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-4472.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296", "https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb", "https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2", "https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015", "https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535", "https://linux.oracle.com/cve/CVE-2025-69419.html", "https://linux.oracle.com/errata/ELSA-2026-50131.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69419", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69419" ], "PublishedDate": "2026-01-27T16:16:34.113Z", "LastModifiedDate": "2026-02-02T18:35:02.177Z" }, { "VulnerabilityID": "CVE-2025-69421", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69421", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:f2a33244e7e75429618f9d106624a1ac7210df135bd07c8733abd281e24cc423", "Title": "openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing", "Description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer\ndereference in the PKCS12_item_decrypt_d2i_ex() function.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to\nDenial of Service for an application processing PKCS#12 files.\n\nThe PKCS12_item_decrypt_d2i_ex() function does not check whether the oct\nparameter is NULL before dereferencing it. When called from\nPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can\nbe NULL, causing a crash. The vulnerability is limited to Denial of Service\nand cannot be escalated to achieve code execution or memory disclosure.\n\nExploiting this issue requires an attacker to provide a malformed PKCS#12 file\nto an application that processes it. For that reason the issue was assessed as\nLow severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "nvd": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69421", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b", "https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7", "https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd", "https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3", "https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c", "https://linux.oracle.com/cve/CVE-2025-69421.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69421", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69421" ], "PublishedDate": "2026-01-27T16:16:34.437Z", "LastModifiedDate": "2026-02-28T04:16:17.457Z" }, { "VulnerabilityID": "CVE-2025-11187", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-11187", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:70ab02f2708d49cce30342fc1308a325384326a112f1b6ec7cfe08de7cdeb2e8", "Title": "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file", "Description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation\nwhich can trigger a stack-based buffer overflow, invalid pointer or NULL\npointer dereference during MAC verification.\n\nImpact summary: The stack buffer overflow or NULL pointer dereference may\ncause a crash leading to Denial of Service for an application that parses\nuntrusted PKCS#12 files. The buffer overflow may also potentially enable\ncode execution depending on platform mitigations.\n\nWhen verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2\nsalt and keylength parameters from the file are used without validation.\nIf the value of keylength exceeds the size of the fixed stack buffer used\nfor the derived key (64 bytes), the key derivation will overflow the buffer.\nThe overflow length is attacker-controlled. Also, if the salt parameter is\nnot an OCTET STRING type this can lead to invalid or NULL pointer\ndereference.\n\nExploiting this issue requires a user or application to process\na maliciously crafted PKCS#12 file. It is uncommon to accept untrusted\nPKCS#12 files in applications as they are usually used to store private\nkeys which are trusted by definition. For this reason the issue was assessed\nas Moderate severity.\n\nThe FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as\nPKCS#12 processing is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.\n\nOpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do\nnot support PBMAC1 in PKCS#12.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476", "CWE-787" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "redhat": 2, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-11187", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/metadust/CVE-2025-11187", "https://github.com/openssl/openssl/commit/205e3a55e16e4bd08c12fdbd3416ab829c0f6206", "https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8", "https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e", "https://linux.oracle.com/cve/CVE-2025-11187.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-11187", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-11187" ], "PublishedDate": "2026-01-27T16:16:14.093Z", "LastModifiedDate": "2026-03-20T14:16:13.89Z" }, { "VulnerabilityID": "CVE-2025-15468", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15468", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:e8430af38fdf710baa7431e33e48c9629ffcd20483b26d3b3adb82795ccd4b3d", "Title": "openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling", "Description": "Issue summary: If an application using the SSL_CIPHER_find() function in\na QUIC protocol client or server receives an unknown cipher suite from\nthe peer, a NULL dereference occurs.\n\nImpact summary: A NULL pointer dereference leads to abnormal termination of\nthe running process causing Denial of Service.\n\nSome applications call SSL_CIPHER_find() from the client_hello_cb callback\non the cipher ID received from the peer. If this is done with an SSL object\nimplementing the QUIC protocol, NULL pointer dereference will happen if\nthe examined cipher ID is unknown or unsupported.\n\nAs it is not very common to call this function in applications using the QUIC \nprotocol and the worst outcome is Denial of Service, the issue was assessed\nas Low severity.\n\nThe vulnerable code was introduced in the 3.2 version with the addition\nof the QUIC protocol support.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the QUIC implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15468", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65", "https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2", "https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4", "https://github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7", "https://linux.oracle.com/cve/CVE-2025-15468.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15468", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15468" ], "PublishedDate": "2026-01-27T16:16:14.4Z", "LastModifiedDate": "2026-02-02T18:38:00.947Z" }, { "VulnerabilityID": "CVE-2025-15469", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15469", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:caeadd1e0e09993320ef35300f56a0a895f05b52bfbb4f069d3156abff5c7ea3", "Title": "openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation", "Description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input\ndata to 16MB when using one-shot signing algorithms and reports success instead\nof an error.\n\nImpact summary: A user signing or verifying files larger than 16MB with\none-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire\nfile is authenticated while trailing data beyond 16MB remains unauthenticated.\n\nWhen the 'openssl dgst' command is used with algorithms that only support\none-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input\nis buffered with a 16MB limit. If the input exceeds this limit, the tool\nsilently truncates to the first 16MB and continues without signaling an error,\ncontrary to what the documentation states. This creates an integrity gap where\ntrailing bytes can be modified without detection if both signing and\nverification are performed using the same affected codepath.\n\nThe issue affects only the command-line tool behavior. Verifiers that process\nthe full message using library APIs will reject the signature, so the risk\nprimarily affects workflows that both sign and verify with the affected\n'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and\nlibrary users are unaffected.\n\nThe FIPS modules in 3.5 and 3.6 are not affected by this issue, as the\ncommand-line tools are outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.5 and 3.6 are vulnerable to this issue.\n\nOpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-347" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15469", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f", "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61", "https://linux.oracle.com/cve/CVE-2025-15469.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15469", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15469" ], "PublishedDate": "2026-01-27T16:16:14.523Z", "LastModifiedDate": "2026-02-02T18:37:39.313Z" }, { "VulnerabilityID": "CVE-2025-66199", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-66199", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:dcaffc211bfe38d06a99073178088b17ecfc11f13f943f8956ad297a3f8818c7", "Title": "openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression", "Description": "Issue summary: A TLS 1.3 connection using certificate compression can be\nforced to allocate a large buffer before decompression without checking\nagainst the configured certificate size limit.\n\nImpact summary: An attacker can cause per-connection memory allocations of\nup to approximately 22 MiB and extra CPU work, potentially leading to\nservice degradation or resource exhaustion (Denial of Service).\n\nIn affected configurations, the peer-supplied uncompressed certificate\nlength from a CompressedCertificate message is used to grow a heap buffer\nprior to decompression. This length is not bounded by the max_cert_list\nsetting, which otherwise constrains certificate message sizes. An attacker\ncan exploit this to cause large per-connection allocations followed by\nhandshake failure. No memory corruption or information disclosure occurs.\n\nThis issue only affects builds where TLS 1.3 certificate compression is\ncompiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression\nalgorithm (brotli, zlib, or zstd) is available, and where the compression\nextension is negotiated. Both clients receiving a server CompressedCertificate\nand servers in mutual TLS scenarios receiving a client CompressedCertificate\nare affected. Servers that do not request client certificates are not\nvulnerable to client-initiated attacks.\n\nUsers can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION\nto disable receiving compressed certificates.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the TLS implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-789" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-66199", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3ed1f75249932b155eef993a8e66a99cb98bfef4", "https://github.com/openssl/openssl/commit/6184a4fb08ee6d7bca570d931a4e8bef40b64451", "https://github.com/openssl/openssl/commit/895150b5e021d16b52fb32b97e1dd12f20448be5", "https://github.com/openssl/openssl/commit/966a2478046c311ed7dae50c457d0db4cafbf7e4", "https://linux.oracle.com/cve/CVE-2025-66199.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-66199", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-66199" ], "PublishedDate": "2026-01-27T16:16:15.777Z", "LastModifiedDate": "2026-02-02T18:37:19.613Z" }, { "VulnerabilityID": "CVE-2025-68160", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-68160", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:c8e36044755eacaf27a7bd9dcb1fb00518155f3029c285029a9ae18bc97f2a0e", "Title": "openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter", "Description": "Issue summary: Writing large, newline-free data into a BIO chain using the\nline-buffering filter where the next BIO performs short writes can trigger\na heap-based out-of-bounds write.\n\nImpact summary: This out-of-bounds write can cause memory corruption which\ntypically results in a crash, leading to Denial of Service for an application.\n\nThe line-buffering BIO filter (BIO_f_linebuffer) is not used by default in\nTLS/SSL data paths. In OpenSSL command-line applications, it is typically\nonly pushed onto stdout/stderr on VMS systems. Third-party applications that\nexplicitly use this filter with a BIO chain that can short-write and that\nwrite large, newline-free data influenced by an attacker would be affected.\nHowever, the circumstances where this could happen are unlikely to be under\nattacker control, and BIO_f_linebuffer is unlikely to be handling non-curated\ndata controlled by an attacker. For that reason the issue was assessed as\nLow severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the BIO implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 4.7 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-68160", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad", "https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6", "https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c", "https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0", "https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096", "https://linux.oracle.com/cve/CVE-2025-68160.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-68160", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-68160" ], "PublishedDate": "2026-01-27T16:16:15.9Z", "LastModifiedDate": "2026-02-02T18:36:57.727Z" }, { "VulnerabilityID": "CVE-2025-69418", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69418", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:64a40879bf3fa050db0af99f463294147676cba8a4c2739f42eb043784dfc836", "Title": "openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls", "Description": "Issue summary: When using the low-level OCB API directly with AES-NI or\u003cbr\u003eother hardware-accelerated code paths, inputs whose length is not a multiple\u003cbr\u003eof 16 bytes can leave the final partial block unencrypted and unauthenticated.\u003cbr\u003e\u003cbr\u003eImpact summary: The trailing 1-15 bytes of a message may be exposed in\u003cbr\u003ecleartext on encryption and are not covered by the authentication tag,\u003cbr\u003eallowing an attacker to read or tamper with those bytes without detection.\u003cbr\u003e\u003cbr\u003eThe low-level OCB encrypt and decrypt routines in the hardware-accelerated\u003cbr\u003estream path process full 16-byte blocks but do not advance the input/output\u003cbr\u003epointers. The subsequent tail-handling code then operates on the original\u003cbr\u003ebase pointers, effectively reprocessing the beginning of the buffer while\u003cbr\u003eleaving the actual trailing bytes unprocessed. The authentication checksum\u003cbr\u003ealso excludes the true tail bytes.\u003cbr\u003e\u003cbr\u003eHowever, typical OpenSSL consumers using EVP are not affected because the\u003cbr\u003ehigher-level EVP and provider OCB implementations split inputs so that full\u003cbr\u003eblocks and trailing partial blocks are processed in separate calls, avoiding\u003cbr\u003ethe problematic code path. Additionally, TLS does not use OCB ciphersuites.\u003cbr\u003eThe vulnerability only affects applications that call the low-level\u003cbr\u003eCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with\u003cbr\u003enon-block-aligned lengths in a single call on hardware-accelerated builds.\u003cbr\u003eFor these reasons the issue was assessed as Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected\u003cbr\u003eby this issue, as OCB mode is not a FIPS-approved algorithm.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-325" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69418", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc", "https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8", "https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347", "https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae", "https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977", "https://linux.oracle.com/cve/CVE-2025-69418.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69418", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69418" ], "PublishedDate": "2026-01-27T16:16:33.253Z", "LastModifiedDate": "2026-02-02T18:36:03.557Z" }, { "VulnerabilityID": "CVE-2025-69420", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69420", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:2c091f0f34533c9109d50fecdfaf9e1a2c732642ab49b6dcef2c3fd4e8449d20", "Title": "openssl: OpenSSL: Denial of Service via malformed TimeStamp Response", "Description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response\nverification code where an ASN1_TYPE union member is accessed without first\nvalidating the type, causing an invalid or NULL pointer dereference when\nprocessing a malformed TimeStamp Response file.\n\nImpact summary: An application calling TS_RESP_verify_response() with a\nmalformed TimeStamp Response can be caused to dereference an invalid or\nNULL pointer when reading, resulting in a Denial of Service.\n\nThe functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()\naccess the signing cert attribute value without validating its type.\nWhen the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory\nthrough the ASN1_TYPE union, causing a crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nTimeStamp Response to an application that verifies timestamp responses. The\nTimeStamp protocol (RFC 3161) is not widely used and the impact of the\nexploit is just a Denial of Service. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the TimeStamp Response implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69420", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9", "https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a", "https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e", "https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b", "https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085", "https://linux.oracle.com/cve/CVE-2025-69420.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69420", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69420" ], "PublishedDate": "2026-01-27T16:16:34.317Z", "LastModifiedDate": "2026-02-02T18:33:30.557Z" }, { "VulnerabilityID": "CVE-2026-22795", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22795", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:408256fa4df4564e85a6d69f9146d7ffb8e3a9008afe9051d4518391a5836e61", "Title": "openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing", "Description": "Issue summary: An invalid or NULL pointer dereference can happen in\nan application processing a malformed PKCS#12 file.\n\nImpact summary: An application processing a malformed PKCS#12 file can be\ncaused to dereference an invalid or NULL pointer on memory read, resulting\nin a Denial of Service.\n\nA type confusion vulnerability exists in PKCS#12 parsing code where\nan ASN1_TYPE union member is accessed without first validating the type,\ncausing an invalid pointer read.\n\nThe location is constrained to a 1-byte address space, meaning any\nattempted pointer manipulation can only target addresses between 0x00 and 0xFF.\nThis range corresponds to the zero page, which is unmapped on most modern\noperating systems and will reliably result in a crash, leading only to a\nDenial of Service. Exploiting this issue also requires a user or application\nto process a maliciously crafted PKCS#12 file. It is uncommon to accept\nuntrusted PKCS#12 files in applications as they are usually used to store\nprivate keys which are trusted by definition. For these reasons, the issue\nwas assessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22795", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22795.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22795", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22795" ], "PublishedDate": "2026-01-27T16:16:35.43Z", "LastModifiedDate": "2026-02-02T18:41:14.917Z" }, { "VulnerabilityID": "CVE-2026-22796", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22796", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:71b2b29013cb5a45d3932e06a926f7556b487aa75488b1e0151b4de3a842c514", "Title": "openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification", "Description": "Issue summary: A type confusion vulnerability exists in the signature\nverification of signed PKCS#7 data where an ASN1_TYPE union member is\naccessed without first validating the type, causing an invalid or NULL\npointer dereference when processing malformed PKCS#7 data.\n\nImpact summary: An application performing signature verification of PKCS#7\ndata or calling directly the PKCS7_digest_from_attributes() function can be\ncaused to dereference an invalid or NULL pointer when reading, resulting in\na Denial of Service.\n\nThe function PKCS7_digest_from_attributes() accesses the message digest attribute\nvalue without validating its type. When the type is not V_ASN1_OCTET_STRING,\nthis results in accessing invalid memory through the ASN1_TYPE union, causing\na crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nsigned PKCS#7 to an application that verifies it. The impact of the\nexploit is just a Denial of Service, the PKCS7 API is legacy and applications\nshould be using the CMS API instead. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#7 parsing implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22796", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22796.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22796", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22796" ], "PublishedDate": "2026-01-27T16:16:35.543Z", "LastModifiedDate": "2026-02-02T18:40:27.467Z" }, { "VulnerabilityID": "CVE-2026-2673", "PkgID": "libcrypto3@3.6.0-r6", "PkgName": "libcrypto3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "58bf5cfcbbfa353d", "BOMRef": "pkg:apk/wolfi/libcrypto3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r3", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2673", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:afe7f8e1e2237ece715eaaa684b44a03eeeafce68bb1b0097578acc034d1f045", "Title": "openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group", "Description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers. The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security. Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "Severity": "LOW", "CweIDs": [ "CWE-757" ], "VendorSeverity": { "amazon": 1, "redhat": 1, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/13/3", "https://access.redhat.com/security/cve/CVE-2026-2673", "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f", "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34", "https://nvd.nist.gov/vuln/detail/CVE-2026-2673", "https://openssl-library.org/news/secadv/20260313.txt", "https://www.cve.org/CVERecord?id=CVE-2026-2673" ], "PublishedDate": "2026-03-13T19:54:34.033Z", "LastModifiedDate": "2026-03-17T18:16:15.6Z" }, { "VulnerabilityID": "CVE-2025-15467", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15467", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6576c2c82b6827cb304064f88863a434ea4443a0e35f725b49913c33cceb93c5", "Title": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing", "Description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with\nmaliciously crafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "CRITICAL", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 4, "oracle-oval": 3, "photon": 3, "redhat": 3, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/27/10", "http://www.openwall.com/lists/oss-security/2026/02/25/6", "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15467", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/guiimoraes/CVE-2025-15467", "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703", "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9", "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3", "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e", "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc", "https://linux.oracle.com/cve/CVE-2025-15467.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15467", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15467" ], "PublishedDate": "2026-01-27T16:16:14.257Z", "LastModifiedDate": "2026-03-19T19:16:19.23Z" }, { "VulnerabilityID": "CVE-2025-69419", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69419", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:7ff660c9e720e4a47a00491edbda8d6a5801a498cbdc3972cf3b705f05eaaec8", "Title": "openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing", "Description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 2, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 7.4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4472", "https://access.redhat.com/security/cve/CVE-2025-69419", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-4472.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296", "https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb", "https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2", "https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015", "https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535", "https://linux.oracle.com/cve/CVE-2025-69419.html", "https://linux.oracle.com/errata/ELSA-2026-50131.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69419", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69419" ], "PublishedDate": "2026-01-27T16:16:34.113Z", "LastModifiedDate": "2026-02-02T18:35:02.177Z" }, { "VulnerabilityID": "CVE-2025-69421", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69421", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:af171817eb92e55468ab07bef7ae098f738f0e6113840423c676d6e1fbdfea45", "Title": "openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing", "Description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer\ndereference in the PKCS12_item_decrypt_d2i_ex() function.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to\nDenial of Service for an application processing PKCS#12 files.\n\nThe PKCS12_item_decrypt_d2i_ex() function does not check whether the oct\nparameter is NULL before dereferencing it. When called from\nPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can\nbe NULL, causing a crash. The vulnerability is limited to Denial of Service\nand cannot be escalated to achieve code execution or memory disclosure.\n\nExploiting this issue requires an attacker to provide a malformed PKCS#12 file\nto an application that processes it. For that reason the issue was assessed as\nLow severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "nvd": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69421", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b", "https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7", "https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd", "https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3", "https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c", "https://linux.oracle.com/cve/CVE-2025-69421.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69421", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69421" ], "PublishedDate": "2026-01-27T16:16:34.437Z", "LastModifiedDate": "2026-02-28T04:16:17.457Z" }, { "VulnerabilityID": "CVE-2025-11187", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-11187", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:dd7cda863c749f01f7ba1d4c9fc5d5ba9e75563ae62ea2f73e0f43bf29e2f1cc", "Title": "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file", "Description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation\nwhich can trigger a stack-based buffer overflow, invalid pointer or NULL\npointer dereference during MAC verification.\n\nImpact summary: The stack buffer overflow or NULL pointer dereference may\ncause a crash leading to Denial of Service for an application that parses\nuntrusted PKCS#12 files. The buffer overflow may also potentially enable\ncode execution depending on platform mitigations.\n\nWhen verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2\nsalt and keylength parameters from the file are used without validation.\nIf the value of keylength exceeds the size of the fixed stack buffer used\nfor the derived key (64 bytes), the key derivation will overflow the buffer.\nThe overflow length is attacker-controlled. Also, if the salt parameter is\nnot an OCTET STRING type this can lead to invalid or NULL pointer\ndereference.\n\nExploiting this issue requires a user or application to process\na maliciously crafted PKCS#12 file. It is uncommon to accept untrusted\nPKCS#12 files in applications as they are usually used to store private\nkeys which are trusted by definition. For this reason the issue was assessed\nas Moderate severity.\n\nThe FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as\nPKCS#12 processing is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.\n\nOpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do\nnot support PBMAC1 in PKCS#12.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476", "CWE-787" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "redhat": 2, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-11187", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/metadust/CVE-2025-11187", "https://github.com/openssl/openssl/commit/205e3a55e16e4bd08c12fdbd3416ab829c0f6206", "https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8", "https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e", "https://linux.oracle.com/cve/CVE-2025-11187.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-11187", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-11187" ], "PublishedDate": "2026-01-27T16:16:14.093Z", "LastModifiedDate": "2026-03-20T14:16:13.89Z" }, { "VulnerabilityID": "CVE-2025-15468", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15468", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:a675f7616306a98129f664f03309c5fb88584833663cbce6cd8907827ba26089", "Title": "openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling", "Description": "Issue summary: If an application using the SSL_CIPHER_find() function in\na QUIC protocol client or server receives an unknown cipher suite from\nthe peer, a NULL dereference occurs.\n\nImpact summary: A NULL pointer dereference leads to abnormal termination of\nthe running process causing Denial of Service.\n\nSome applications call SSL_CIPHER_find() from the client_hello_cb callback\non the cipher ID received from the peer. If this is done with an SSL object\nimplementing the QUIC protocol, NULL pointer dereference will happen if\nthe examined cipher ID is unknown or unsupported.\n\nAs it is not very common to call this function in applications using the QUIC \nprotocol and the worst outcome is Denial of Service, the issue was assessed\nas Low severity.\n\nThe vulnerable code was introduced in the 3.2 version with the addition\nof the QUIC protocol support.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the QUIC implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15468", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65", "https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2", "https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4", "https://github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7", "https://linux.oracle.com/cve/CVE-2025-15468.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15468", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15468" ], "PublishedDate": "2026-01-27T16:16:14.4Z", "LastModifiedDate": "2026-02-02T18:38:00.947Z" }, { "VulnerabilityID": "CVE-2025-15469", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15469", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:d8be95132d3ef93e700f2fe27ac1b0f6c5558fadedf2f4581f65edcedaf1a9b9", "Title": "openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation", "Description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input\ndata to 16MB when using one-shot signing algorithms and reports success instead\nof an error.\n\nImpact summary: A user signing or verifying files larger than 16MB with\none-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire\nfile is authenticated while trailing data beyond 16MB remains unauthenticated.\n\nWhen the 'openssl dgst' command is used with algorithms that only support\none-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input\nis buffered with a 16MB limit. If the input exceeds this limit, the tool\nsilently truncates to the first 16MB and continues without signaling an error,\ncontrary to what the documentation states. This creates an integrity gap where\ntrailing bytes can be modified without detection if both signing and\nverification are performed using the same affected codepath.\n\nThe issue affects only the command-line tool behavior. Verifiers that process\nthe full message using library APIs will reject the signature, so the risk\nprimarily affects workflows that both sign and verify with the affected\n'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and\nlibrary users are unaffected.\n\nThe FIPS modules in 3.5 and 3.6 are not affected by this issue, as the\ncommand-line tools are outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.5 and 3.6 are vulnerable to this issue.\n\nOpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-347" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15469", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f", "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61", "https://linux.oracle.com/cve/CVE-2025-15469.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15469", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15469" ], "PublishedDate": "2026-01-27T16:16:14.523Z", "LastModifiedDate": "2026-02-02T18:37:39.313Z" }, { "VulnerabilityID": "CVE-2025-66199", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-66199", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:8a12f53c845a335a27c5efd6e602f2ea99d7d491c8f3d513f2dad7e147101d0b", "Title": "openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression", "Description": "Issue summary: A TLS 1.3 connection using certificate compression can be\nforced to allocate a large buffer before decompression without checking\nagainst the configured certificate size limit.\n\nImpact summary: An attacker can cause per-connection memory allocations of\nup to approximately 22 MiB and extra CPU work, potentially leading to\nservice degradation or resource exhaustion (Denial of Service).\n\nIn affected configurations, the peer-supplied uncompressed certificate\nlength from a CompressedCertificate message is used to grow a heap buffer\nprior to decompression. This length is not bounded by the max_cert_list\nsetting, which otherwise constrains certificate message sizes. An attacker\ncan exploit this to cause large per-connection allocations followed by\nhandshake failure. No memory corruption or information disclosure occurs.\n\nThis issue only affects builds where TLS 1.3 certificate compression is\ncompiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression\nalgorithm (brotli, zlib, or zstd) is available, and where the compression\nextension is negotiated. Both clients receiving a server CompressedCertificate\nand servers in mutual TLS scenarios receiving a client CompressedCertificate\nare affected. Servers that do not request client certificates are not\nvulnerable to client-initiated attacks.\n\nUsers can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION\nto disable receiving compressed certificates.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the TLS implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-789" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-66199", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3ed1f75249932b155eef993a8e66a99cb98bfef4", "https://github.com/openssl/openssl/commit/6184a4fb08ee6d7bca570d931a4e8bef40b64451", "https://github.com/openssl/openssl/commit/895150b5e021d16b52fb32b97e1dd12f20448be5", "https://github.com/openssl/openssl/commit/966a2478046c311ed7dae50c457d0db4cafbf7e4", "https://linux.oracle.com/cve/CVE-2025-66199.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-66199", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-66199" ], "PublishedDate": "2026-01-27T16:16:15.777Z", "LastModifiedDate": "2026-02-02T18:37:19.613Z" }, { "VulnerabilityID": "CVE-2025-68160", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-68160", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:9309d8ad37a9e6e76d509ba6f2f1e07c3413149ab95887d912764ddd30d4ef86", "Title": "openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter", "Description": "Issue summary: Writing large, newline-free data into a BIO chain using the\nline-buffering filter where the next BIO performs short writes can trigger\na heap-based out-of-bounds write.\n\nImpact summary: This out-of-bounds write can cause memory corruption which\ntypically results in a crash, leading to Denial of Service for an application.\n\nThe line-buffering BIO filter (BIO_f_linebuffer) is not used by default in\nTLS/SSL data paths. In OpenSSL command-line applications, it is typically\nonly pushed onto stdout/stderr on VMS systems. Third-party applications that\nexplicitly use this filter with a BIO chain that can short-write and that\nwrite large, newline-free data influenced by an attacker would be affected.\nHowever, the circumstances where this could happen are unlikely to be under\nattacker control, and BIO_f_linebuffer is unlikely to be handling non-curated\ndata controlled by an attacker. For that reason the issue was assessed as\nLow severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the BIO implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 4.7 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-68160", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad", "https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6", "https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c", "https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0", "https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096", "https://linux.oracle.com/cve/CVE-2025-68160.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-68160", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-68160" ], "PublishedDate": "2026-01-27T16:16:15.9Z", "LastModifiedDate": "2026-02-02T18:36:57.727Z" }, { "VulnerabilityID": "CVE-2025-69418", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69418", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:ba9f5edbd952f3261d12c760c13a055353a70db924a3bbd24cab7fe8244cee57", "Title": "openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls", "Description": "Issue summary: When using the low-level OCB API directly with AES-NI or\u003cbr\u003eother hardware-accelerated code paths, inputs whose length is not a multiple\u003cbr\u003eof 16 bytes can leave the final partial block unencrypted and unauthenticated.\u003cbr\u003e\u003cbr\u003eImpact summary: The trailing 1-15 bytes of a message may be exposed in\u003cbr\u003ecleartext on encryption and are not covered by the authentication tag,\u003cbr\u003eallowing an attacker to read or tamper with those bytes without detection.\u003cbr\u003e\u003cbr\u003eThe low-level OCB encrypt and decrypt routines in the hardware-accelerated\u003cbr\u003estream path process full 16-byte blocks but do not advance the input/output\u003cbr\u003epointers. The subsequent tail-handling code then operates on the original\u003cbr\u003ebase pointers, effectively reprocessing the beginning of the buffer while\u003cbr\u003eleaving the actual trailing bytes unprocessed. The authentication checksum\u003cbr\u003ealso excludes the true tail bytes.\u003cbr\u003e\u003cbr\u003eHowever, typical OpenSSL consumers using EVP are not affected because the\u003cbr\u003ehigher-level EVP and provider OCB implementations split inputs so that full\u003cbr\u003eblocks and trailing partial blocks are processed in separate calls, avoiding\u003cbr\u003ethe problematic code path. Additionally, TLS does not use OCB ciphersuites.\u003cbr\u003eThe vulnerability only affects applications that call the low-level\u003cbr\u003eCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with\u003cbr\u003enon-block-aligned lengths in a single call on hardware-accelerated builds.\u003cbr\u003eFor these reasons the issue was assessed as Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected\u003cbr\u003eby this issue, as OCB mode is not a FIPS-approved algorithm.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-325" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69418", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc", "https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8", "https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347", "https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae", "https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977", "https://linux.oracle.com/cve/CVE-2025-69418.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69418", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69418" ], "PublishedDate": "2026-01-27T16:16:33.253Z", "LastModifiedDate": "2026-02-02T18:36:03.557Z" }, { "VulnerabilityID": "CVE-2025-69420", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69420", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:82497ad7cc28238ff10f83bf2bb141757b69590d818ec6b6d7f4f9ab319ea254", "Title": "openssl: OpenSSL: Denial of Service via malformed TimeStamp Response", "Description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response\nverification code where an ASN1_TYPE union member is accessed without first\nvalidating the type, causing an invalid or NULL pointer dereference when\nprocessing a malformed TimeStamp Response file.\n\nImpact summary: An application calling TS_RESP_verify_response() with a\nmalformed TimeStamp Response can be caused to dereference an invalid or\nNULL pointer when reading, resulting in a Denial of Service.\n\nThe functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()\naccess the signing cert attribute value without validating its type.\nWhen the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory\nthrough the ASN1_TYPE union, causing a crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nTimeStamp Response to an application that verifies timestamp responses. The\nTimeStamp protocol (RFC 3161) is not widely used and the impact of the\nexploit is just a Denial of Service. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the TimeStamp Response implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69420", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9", "https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a", "https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e", "https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b", "https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085", "https://linux.oracle.com/cve/CVE-2025-69420.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69420", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69420" ], "PublishedDate": "2026-01-27T16:16:34.317Z", "LastModifiedDate": "2026-02-02T18:33:30.557Z" }, { "VulnerabilityID": "CVE-2026-22795", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22795", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:91cd73dcd3c0075c300839381666d544d6ec594f7e483ed4fbe6b8497919a5e1", "Title": "openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing", "Description": "Issue summary: An invalid or NULL pointer dereference can happen in\nan application processing a malformed PKCS#12 file.\n\nImpact summary: An application processing a malformed PKCS#12 file can be\ncaused to dereference an invalid or NULL pointer on memory read, resulting\nin a Denial of Service.\n\nA type confusion vulnerability exists in PKCS#12 parsing code where\nan ASN1_TYPE union member is accessed without first validating the type,\ncausing an invalid pointer read.\n\nThe location is constrained to a 1-byte address space, meaning any\nattempted pointer manipulation can only target addresses between 0x00 and 0xFF.\nThis range corresponds to the zero page, which is unmapped on most modern\noperating systems and will reliably result in a crash, leading only to a\nDenial of Service. Exploiting this issue also requires a user or application\nto process a maliciously crafted PKCS#12 file. It is uncommon to accept\nuntrusted PKCS#12 files in applications as they are usually used to store\nprivate keys which are trusted by definition. For these reasons, the issue\nwas assessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22795", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22795.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22795", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22795" ], "PublishedDate": "2026-01-27T16:16:35.43Z", "LastModifiedDate": "2026-02-02T18:41:14.917Z" }, { "VulnerabilityID": "CVE-2026-22796", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22796", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:21707746c32aab7a442336e2000541e1eb3fb87792155526eeac98bf63ecb098", "Title": "openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification", "Description": "Issue summary: A type confusion vulnerability exists in the signature\nverification of signed PKCS#7 data where an ASN1_TYPE union member is\naccessed without first validating the type, causing an invalid or NULL\npointer dereference when processing malformed PKCS#7 data.\n\nImpact summary: An application performing signature verification of PKCS#7\ndata or calling directly the PKCS7_digest_from_attributes() function can be\ncaused to dereference an invalid or NULL pointer when reading, resulting in\na Denial of Service.\n\nThe function PKCS7_digest_from_attributes() accesses the message digest attribute\nvalue without validating its type. When the type is not V_ASN1_OCTET_STRING,\nthis results in accessing invalid memory through the ASN1_TYPE union, causing\na crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nsigned PKCS#7 to an application that verifies it. The impact of the\nexploit is just a Denial of Service, the PKCS7 API is legacy and applications\nshould be using the CMS API instead. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#7 parsing implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22796", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22796.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22796", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22796" ], "PublishedDate": "2026-01-27T16:16:35.543Z", "LastModifiedDate": "2026-02-02T18:40:27.467Z" }, { "VulnerabilityID": "CVE-2026-2673", "PkgID": "libssl3@3.6.0-r6", "PkgName": "libssl3", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "60a8db26e47ae4b9", "BOMRef": "pkg:apk/wolfi/libssl3@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r3", "Status": "fixed", "Layer": { "Digest": "sha256:a36dbe526a1408d25cb657ea742d44419c7646c3b69530254175dd1c48bf2a1a", "DiffID": "sha256:846629027186e36c6790b79029d977f8b8c2165e8cc655be185075c4d9204141" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2673", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6cd589be56a2eebec8f35d932da54f4c64b954666b555f6e8bbd0bdf5cef5414", "Title": "openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group", "Description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers. The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security. Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "Severity": "LOW", "CweIDs": [ "CWE-757" ], "VendorSeverity": { "amazon": 1, "redhat": 1, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/13/3", "https://access.redhat.com/security/cve/CVE-2026-2673", "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f", "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34", "https://nvd.nist.gov/vuln/detail/CVE-2026-2673", "https://openssl-library.org/news/secadv/20260313.txt", "https://www.cve.org/CVERecord?id=CVE-2026-2673" ], "PublishedDate": "2026-03-13T19:54:34.033Z", "LastModifiedDate": "2026-03-17T18:16:15.6Z" }, { "VulnerabilityID": "CVE-2026-0775", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.9.0-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0775", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:fa676feab305ab3c5eccfe9b3b3c386e2bf796bfef29a92b90a7c966ad1b8722", "Title": "npmcli: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability", "Description": "npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.", "Severity": "HIGH", "CweIDs": [ "CWE-732" ], "VendorSeverity": { "redhat": 3 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "V3Score": 7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-0775", "https://nvd.nist.gov/vuln/detail/CVE-2026-0775", "https://www.cve.org/CVERecord?id=CVE-2026-0775", "https://www.zerodayinitiative.com/advisories/ZDI-26-043/" ], "PublishedDate": "2026-01-23T04:16:04.793Z", "LastModifiedDate": "2026-01-26T15:03:51.687Z" }, { "VulnerabilityID": "CVE-2026-24001", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.8.0-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24001", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:73566d80ffc2f3020bfa6a9725ca729540ca456de894edb0b31f5ff1e0fc178a", "Title": "jsdiff: denial of service vulnerability in parsePatch and applyPatch", "Description": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`.", "Severity": "HIGH", "CweIDs": [ "CWE-400", "CWE-1333" ], "VendorSeverity": { "ghsa": 1, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-24001", "https://github.com/kpdecker/jsdiff", "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "https://github.com/kpdecker/jsdiff/issues/653", "https://github.com/kpdecker/jsdiff/pull/649", "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "https://nvd.nist.gov/vuln/detail/CVE-2026-24001", "https://www.cve.org/CVERecord?id=CVE-2026-24001" ], "PublishedDate": "2026-01-22T03:15:47.627Z", "LastModifiedDate": "2026-03-04T15:23:41.347Z" }, { "VulnerabilityID": "CVE-2026-24842", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.9.0-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24842", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:59e17265edc091e092a3936062253f6518424c9b8bd5576905b617e218cbebf2", "Title": "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check", "Description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-22", "CWE-59" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "V3Score": 8.2 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "V3Score": 8.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-24842", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", "https://www.cve.org/CVERecord?id=CVE-2026-24842" ], "PublishedDate": "2026-01-28T01:16:14.947Z", "LastModifiedDate": "2026-02-02T14:30:10.89Z" }, { "VulnerabilityID": "CVE-2026-26960", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.10.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26960", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:074912ef437ee507954a49a14ad85c0a17da7ff1e4ecb67f4ad59587322a8247", "Title": "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation", "Description": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26960", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384", "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f", "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx", "https://nvd.nist.gov/vuln/detail/CVE-2026-26960", "https://www.cve.org/CVERecord?id=CVE-2026-26960" ], "PublishedDate": "2026-02-20T02:16:53.883Z", "LastModifiedDate": "2026-02-20T19:24:16.537Z" }, { "VulnerabilityID": "CVE-2026-26996", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.10.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26996", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:3ca3bddeac6ed59360dfcf73a043f1134496de28204ddd72500b120cbed3b1ec", "Title": "minimatch: minimatch: Denial of Service via specially crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26996", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", "https://nvd.nist.gov/vuln/detail/CVE-2026-26996", "https://www.cve.org/CVERecord?id=CVE-2026-26996" ], "PublishedDate": "2026-02-20T03:16:01.62Z", "LastModifiedDate": "2026-03-06T21:32:10.65Z" }, { "VulnerabilityID": "CVE-2026-23745", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.8.0-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23745", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:0bd52110ff5ade589a956ad6f37d88634643cc26e09fb6e673b4f610112f2543", "Title": "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives", "Description": "node-tar is a Tar for Node.js. The node-tar library (\u003c= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.", "Severity": "MEDIUM", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "V3Score": 8.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-23745", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", "https://www.cve.org/CVERecord?id=CVE-2026-23745" ], "PublishedDate": "2026-01-16T22:16:26.83Z", "LastModifiedDate": "2026-02-18T16:20:07.823Z" }, { "VulnerabilityID": "CVE-2026-25547", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.9.0-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25547", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:17995a91cf4752adba69e8edd67e35896afe02ead879b6b5d7044980b2aa7898", "Title": "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion", "Description": "@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-25547", "https://github.com/isaacs/brace-expansion", "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2", "https://nvd.nist.gov/vuln/detail/CVE-2026-25547", "https://www.cve.org/CVERecord?id=CVE-2026-25547" ], "PublishedDate": "2026-02-04T22:16:00.813Z", "LastModifiedDate": "2026-02-05T14:57:20.563Z" }, { "VulnerabilityID": "CVE-2026-27903", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.11.0-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27903", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:121a143b66b1d49ecbd35cf0e116ffa7bbfceced1c3c30943aca276ee82c304b", "Title": "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-407" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27903", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", "https://nvd.nist.gov/vuln/detail/CVE-2026-27903", "https://www.cve.org/CVERecord?id=CVE-2026-27903" ], "PublishedDate": "2026-02-26T02:16:21.353Z", "LastModifiedDate": "2026-02-27T17:21:22.37Z" }, { "VulnerabilityID": "CVE-2026-27904", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.11.0-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27904", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:5a70f237cec86939f78e437ed17d30f193916bd46f99a0787684f4f0cbeaf1ef", "Title": "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27904", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", "https://nvd.nist.gov/vuln/detail/CVE-2026-27904", "https://www.cve.org/CVERecord?id=CVE-2026-27904" ], "PublishedDate": "2026-02-26T02:16:21.76Z", "LastModifiedDate": "2026-02-27T17:16:23.773Z" }, { "VulnerabilityID": "CVE-2026-29786", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.11.0-r2", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29786", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:7a46056f4ae3d38876ef5805c71433902bfadca337c3ead2b673c6e33a2bb92b", "Title": "node-tar: hardlink path traversal via drive-relative linkpath", "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.", "Severity": "MEDIUM", "CweIDs": [ "CWE-22", "CWE-59" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "V3Score": 6.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "V3Score": 8.6 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-29786", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", "https://nvd.nist.gov/vuln/detail/CVE-2026-29786", "https://www.cve.org/CVERecord?id=CVE-2026-29786" ], "PublishedDate": "2026-03-07T16:15:55.587Z", "LastModifiedDate": "2026-03-11T21:50:01.91Z" }, { "VulnerabilityID": "CVE-2026-33671", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.12.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33671", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:5d1329db9d0941f14633ef13d6b61d86a45e14104f02ead1e8e9bafe854c0592", "Title": "picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns", "Description": "Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33671", "https://github.com/micromatch/picomatch", "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d", "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj", "https://nvd.nist.gov/vuln/detail/CVE-2026-33671", "https://www.cve.org/CVERecord?id=CVE-2026-33671" ], "PublishedDate": "2026-03-26T22:16:30.21Z", "LastModifiedDate": "2026-04-01T13:45:11.687Z" }, { "VulnerabilityID": "CVE-2026-33672", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.12.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33672", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:61b04811e8ce8eae35892f8ba3888ff73ee42a7c47ea4ca3992ad58cee1f9ac5", "Title": "picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions", "Description": "Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1321" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33672", "https://github.com/micromatch/picomatch", "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903", "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p", "https://nvd.nist.gov/vuln/detail/CVE-2026-33672", "https://www.cve.org/CVERecord?id=CVE-2026-33672" ], "PublishedDate": "2026-03-26T22:16:30.387Z", "LastModifiedDate": "2026-04-01T13:44:53.397Z" }, { "VulnerabilityID": "CVE-2026-33750", "PkgID": "npm@11.7.0-r0", "PkgName": "npm", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201", "UID": "5f4ff9588d6fe35f", "BOMRef": "pkg:apk/wolfi/npm@11.7.0-r0?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "11.7.0-r0", "FixedVersion": "11.12.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33750", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:2c17172acc306ee8db8e0b3bdb3511c2743fb1b3be6cc3d6fe66b66119436af7", "Title": "brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern", "Description": "The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33750", "https://github.com/juliangruber/brace-expansion", "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113", "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184", "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5", "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2", "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a", "https://github.com/juliangruber/brace-expansion/issues/98", "https://github.com/juliangruber/brace-expansion/pull/95", "https://github.com/juliangruber/brace-expansion/pull/96", "https://github.com/juliangruber/brace-expansion/pull/97", "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v", "https://nvd.nist.gov/vuln/detail/CVE-2026-33750", "https://www.cve.org/CVERecord?id=CVE-2026-33750" ], "PublishedDate": "2026-03-27T15:16:57.297Z", "LastModifiedDate": "2026-03-30T13:26:29.793Z" }, { "VulnerabilityID": "CVE-2025-15467", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15467", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:e28103195dd25ce4f93bd738c2aab5e3f83aa2437c15b61d61ed66a9fef206c9", "Title": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing", "Description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with\nmaliciously crafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "CRITICAL", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 4, "oracle-oval": 3, "photon": 3, "redhat": 3, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "V3Score": 9.8 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/01/27/10", "http://www.openwall.com/lists/oss-security/2026/02/25/6", "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15467", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/guiimoraes/CVE-2025-15467", "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703", "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9", "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3", "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e", "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc", "https://linux.oracle.com/cve/CVE-2025-15467.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15467", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15467" ], "PublishedDate": "2026-01-27T16:16:14.257Z", "LastModifiedDate": "2026-03-19T19:16:19.23Z" }, { "VulnerabilityID": "CVE-2025-69419", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69419", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6fa3f2e47b4299edec52c58f6595975f622bfe82da29834973300764e2e28838", "Title": "openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing", "Description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 2, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 2, "photon": 3, "redhat": 2, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 7.4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4472", "https://access.redhat.com/security/cve/CVE-2025-69419", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-4472.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296", "https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb", "https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2", "https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015", "https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535", "https://linux.oracle.com/cve/CVE-2025-69419.html", "https://linux.oracle.com/errata/ELSA-2026-50131.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69419", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69419" ], "PublishedDate": "2026-01-27T16:16:34.113Z", "LastModifiedDate": "2026-02-02T18:35:02.177Z" }, { "VulnerabilityID": "CVE-2025-69421", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69421", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:6240ee21b23364a32c6dd6afc273972fb2d4d8f7cddefa48293e18add269909e", "Title": "openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing", "Description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer\ndereference in the PKCS12_item_decrypt_d2i_ex() function.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to\nDenial of Service for an application processing PKCS#12 files.\n\nThe PKCS12_item_decrypt_d2i_ex() function does not check whether the oct\nparameter is NULL before dereferencing it. When called from\nPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can\nbe NULL, causing a crash. The vulnerability is limited to Denial of Service\nand cannot be escalated to achieve code execution or memory disclosure.\n\nExploiting this issue requires an attacker to provide a malformed PKCS#12 file\nto an application that processes it. For that reason the issue was assessed as\nLow severity according to our Security Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "HIGH", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "nvd": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69421", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b", "https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7", "https://github.com/openssl/openssl/commit/4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd", "https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3", "https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c", "https://linux.oracle.com/cve/CVE-2025-69421.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69421", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69421" ], "PublishedDate": "2026-01-27T16:16:34.437Z", "LastModifiedDate": "2026-02-28T04:16:17.457Z" }, { "VulnerabilityID": "CVE-2025-11187", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-11187", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:d996eb68d3c9c689a46795a759193a75f1adf3b27e55090950ec95bd5aa57ce2", "Title": "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file", "Description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation\nwhich can trigger a stack-based buffer overflow, invalid pointer or NULL\npointer dereference during MAC verification.\n\nImpact summary: The stack buffer overflow or NULL pointer dereference may\ncause a crash leading to Denial of Service for an application that parses\nuntrusted PKCS#12 files. The buffer overflow may also potentially enable\ncode execution depending on platform mitigations.\n\nWhen verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2\nsalt and keylength parameters from the file are used without validation.\nIf the value of keylength exceeds the size of the fixed stack buffer used\nfor the derived key (64 bytes), the key derivation will overflow the buffer.\nThe overflow length is attacker-controlled. Also, if the salt parameter is\nnot an OCTET STRING type this can lead to invalid or NULL pointer\ndereference.\n\nExploiting this issue requires a user or application to process\na maliciously crafted PKCS#12 file. It is uncommon to accept untrusted\nPKCS#12 files in applications as they are usually used to store private\nkeys which are trusted by definition. For this reason the issue was assessed\nas Moderate severity.\n\nThe FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as\nPKCS#12 processing is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.\n\nOpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do\nnot support PBMAC1 in PKCS#12.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476", "CWE-787" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "redhat": 2, "rocky": 3, "ubuntu": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-11187", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/metadust/CVE-2025-11187", "https://github.com/openssl/openssl/commit/205e3a55e16e4bd08c12fdbd3416ab829c0f6206", "https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8", "https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e", "https://linux.oracle.com/cve/CVE-2025-11187.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-11187", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-11187" ], "PublishedDate": "2026-01-27T16:16:14.093Z", "LastModifiedDate": "2026-03-20T14:16:13.89Z" }, { "VulnerabilityID": "CVE-2025-15468", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15468", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:c7f7683ddabc6b478ab8da497b68df76e53c2cc9d41521d68be0b60474e61bc7", "Title": "openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling", "Description": "Issue summary: If an application using the SSL_CIPHER_find() function in\na QUIC protocol client or server receives an unknown cipher suite from\nthe peer, a NULL dereference occurs.\n\nImpact summary: A NULL pointer dereference leads to abnormal termination of\nthe running process causing Denial of Service.\n\nSome applications call SSL_CIPHER_find() from the client_hello_cb callback\non the cipher ID received from the peer. If this is done with an SSL object\nimplementing the QUIC protocol, NULL pointer dereference will happen if\nthe examined cipher ID is unknown or unsupported.\n\nAs it is not very common to call this function in applications using the QUIC \nprotocol and the worst outcome is Denial of Service, the issue was assessed\nas Low severity.\n\nThe vulnerable code was introduced in the 3.2 version with the addition\nof the QUIC protocol support.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the QUIC implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15468", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65", "https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2", "https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4", "https://github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7", "https://linux.oracle.com/cve/CVE-2025-15468.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15468", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15468" ], "PublishedDate": "2026-01-27T16:16:14.4Z", "LastModifiedDate": "2026-02-02T18:38:00.947Z" }, { "VulnerabilityID": "CVE-2025-15469", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15469", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:175c9a01780eef489376fb085a34b366307a871741096eae10d7e72dba31be6c", "Title": "openssl: OpenSSL: Data integrity bypass in `openssl dgst` command due to silent truncation", "Description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input\ndata to 16MB when using one-shot signing algorithms and reports success instead\nof an error.\n\nImpact summary: A user signing or verifying files larger than 16MB with\none-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire\nfile is authenticated while trailing data beyond 16MB remains unauthenticated.\n\nWhen the 'openssl dgst' command is used with algorithms that only support\none-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input\nis buffered with a 16MB limit. If the input exceeds this limit, the tool\nsilently truncates to the first 16MB and continues without signaling an error,\ncontrary to what the documentation states. This creates an integrity gap where\ntrailing bytes can be modified without detection if both signing and\nverification are performed using the same affected codepath.\n\nThe issue affects only the command-line tool behavior. Verifiers that process\nthe full message using library APIs will reject the signature, so the risk\nprimarily affects workflows that both sign and verify with the affected\n'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and\nlibrary users are unaffected.\n\nThe FIPS modules in 3.5 and 3.6 are not affected by this issue, as the\ncommand-line tools are outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.5 and 3.6 are vulnerable to this issue.\n\nOpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-347" ], "VendorSeverity": { "alma": 3, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-15469", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f", "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61", "https://linux.oracle.com/cve/CVE-2025-15469.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-15469", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-15469" ], "PublishedDate": "2026-01-27T16:16:14.523Z", "LastModifiedDate": "2026-02-02T18:37:39.313Z" }, { "VulnerabilityID": "CVE-2025-66199", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-66199", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:930e25d550efcd753022d8d0a68830d2d73c7061e3af1e1bdcddc1b7f28e8e4d", "Title": "openssl: OpenSSL: Denial of Service due to excessive memory allocation in TLS 1.3 certificate compression", "Description": "Issue summary: A TLS 1.3 connection using certificate compression can be\nforced to allocate a large buffer before decompression without checking\nagainst the configured certificate size limit.\n\nImpact summary: An attacker can cause per-connection memory allocations of\nup to approximately 22 MiB and extra CPU work, potentially leading to\nservice degradation or resource exhaustion (Denial of Service).\n\nIn affected configurations, the peer-supplied uncompressed certificate\nlength from a CompressedCertificate message is used to grow a heap buffer\nprior to decompression. This length is not bounded by the max_cert_list\nsetting, which otherwise constrains certificate message sizes. An attacker\ncan exploit this to cause large per-connection allocations followed by\nhandshake failure. No memory corruption or information disclosure occurs.\n\nThis issue only affects builds where TLS 1.3 certificate compression is\ncompiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression\nalgorithm (brotli, zlib, or zstd) is available, and where the compression\nextension is negotiated. Both clients receiving a server CompressedCertificate\nand servers in mutual TLS scenarios receiving a client CompressedCertificate\nare affected. Servers that do not request client certificates are not\nvulnerable to client-initiated attacks.\n\nUsers can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION\nto disable receiving compressed certificates.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the TLS implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-789" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-66199", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/3ed1f75249932b155eef993a8e66a99cb98bfef4", "https://github.com/openssl/openssl/commit/6184a4fb08ee6d7bca570d931a4e8bef40b64451", "https://github.com/openssl/openssl/commit/895150b5e021d16b52fb32b97e1dd12f20448be5", "https://github.com/openssl/openssl/commit/966a2478046c311ed7dae50c457d0db4cafbf7e4", "https://linux.oracle.com/cve/CVE-2025-66199.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-66199", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://www.cve.org/CVERecord?id=CVE-2025-66199" ], "PublishedDate": "2026-01-27T16:16:15.777Z", "LastModifiedDate": "2026-02-02T18:37:19.613Z" }, { "VulnerabilityID": "CVE-2025-68160", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-68160", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:3ccddf318a1ec0637006cbf2a8612c4350d911bfacfaefdd19b77c6dc4924c7d", "Title": "openssl: OpenSSL: Denial of Service due to out-of-bounds write in BIO filter", "Description": "Issue summary: Writing large, newline-free data into a BIO chain using the\nline-buffering filter where the next BIO performs short writes can trigger\na heap-based out-of-bounds write.\n\nImpact summary: This out-of-bounds write can cause memory corruption which\ntypically results in a crash, leading to Denial of Service for an application.\n\nThe line-buffering BIO filter (BIO_f_linebuffer) is not used by default in\nTLS/SSL data paths. In OpenSSL command-line applications, it is typically\nonly pushed onto stdout/stderr on VMS systems. Third-party applications that\nexplicitly use this filter with a BIO chain that can short-write and that\nwrite large, newline-free data influenced by an attacker would be affected.\nHowever, the circumstances where this could happen are unlikely to be under\nattacker control, and BIO_f_linebuffer is unlikely to be handling non-curated\ndata controlled by an attacker. For that reason the issue was assessed as\nLow severity.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the BIO implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 4.7 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-68160", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/384011202af92605d926fafe4a0bcd6b65d162ad", "https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6", "https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c", "https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0", "https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096", "https://linux.oracle.com/cve/CVE-2025-68160.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-68160", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-68160" ], "PublishedDate": "2026-01-27T16:16:15.9Z", "LastModifiedDate": "2026-02-02T18:36:57.727Z" }, { "VulnerabilityID": "CVE-2025-69418", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69418", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:9ca32acd0a76df4b0b27c4663e506277c4979123d23d44fc3d7298c4a5ca5890", "Title": "openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls", "Description": "Issue summary: When using the low-level OCB API directly with AES-NI or\u003cbr\u003eother hardware-accelerated code paths, inputs whose length is not a multiple\u003cbr\u003eof 16 bytes can leave the final partial block unencrypted and unauthenticated.\u003cbr\u003e\u003cbr\u003eImpact summary: The trailing 1-15 bytes of a message may be exposed in\u003cbr\u003ecleartext on encryption and are not covered by the authentication tag,\u003cbr\u003eallowing an attacker to read or tamper with those bytes without detection.\u003cbr\u003e\u003cbr\u003eThe low-level OCB encrypt and decrypt routines in the hardware-accelerated\u003cbr\u003estream path process full 16-byte blocks but do not advance the input/output\u003cbr\u003epointers. The subsequent tail-handling code then operates on the original\u003cbr\u003ebase pointers, effectively reprocessing the beginning of the buffer while\u003cbr\u003eleaving the actual trailing bytes unprocessed. The authentication checksum\u003cbr\u003ealso excludes the true tail bytes.\u003cbr\u003e\u003cbr\u003eHowever, typical OpenSSL consumers using EVP are not affected because the\u003cbr\u003ehigher-level EVP and provider OCB implementations split inputs so that full\u003cbr\u003eblocks and trailing partial blocks are processed in separate calls, avoiding\u003cbr\u003ethe problematic code path. Additionally, TLS does not use OCB ciphersuites.\u003cbr\u003eThe vulnerability only affects applications that call the low-level\u003cbr\u003eCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with\u003cbr\u003enon-block-aligned lengths in a single call on hardware-accelerated builds.\u003cbr\u003eFor these reasons the issue was assessed as Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected\u003cbr\u003eby this issue, as OCB mode is not a FIPS-approved algorithm.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-325" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 4 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69418", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc", "https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8", "https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347", "https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae", "https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977", "https://linux.oracle.com/cve/CVE-2025-69418.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69418", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69418" ], "PublishedDate": "2026-01-27T16:16:33.253Z", "LastModifiedDate": "2026-02-02T18:36:03.557Z" }, { "VulnerabilityID": "CVE-2025-69420", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-69420", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:66e5761707191ca321a16b5df8e38eebe2fa85c466753066a4faa46b7eaeaeeb", "Title": "openssl: OpenSSL: Denial of Service via malformed TimeStamp Response", "Description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response\nverification code where an ASN1_TYPE union member is accessed without first\nvalidating the type, causing an invalid or NULL pointer dereference when\nprocessing a malformed TimeStamp Response file.\n\nImpact summary: An application calling TS_RESP_verify_response() with a\nmalformed TimeStamp Response can be caused to dereference an invalid or\nNULL pointer when reading, resulting in a Denial of Service.\n\nThe functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()\naccess the signing cert attribute value without validating its type.\nWhen the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory\nthrough the ASN1_TYPE union, causing a crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nTimeStamp Response to an application that verifies timestamp responses. The\nTimeStamp protocol (RFC 3161) is not widely used and the impact of the\nexploit is just a Denial of Service. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the TimeStamp Response implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 3, "photon": 3, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2025-69420", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9", "https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a", "https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e", "https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b", "https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085", "https://linux.oracle.com/cve/CVE-2025-69420.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2025-69420", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2025-69420" ], "PublishedDate": "2026-01-27T16:16:34.317Z", "LastModifiedDate": "2026-02-02T18:33:30.557Z" }, { "VulnerabilityID": "CVE-2026-22795", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22795", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:d385db4ef1e6190224aba46f3f4ac02d0046b3c5d96b1aa30150df813b17f89f", "Title": "openssl: OpenSSL: Denial of Service due to type confusion in PKCS#12 file processing", "Description": "Issue summary: An invalid or NULL pointer dereference can happen in\nan application processing a malformed PKCS#12 file.\n\nImpact summary: An application processing a malformed PKCS#12 file can be\ncaused to dereference an invalid or NULL pointer on memory read, resulting\nin a Denial of Service.\n\nA type confusion vulnerability exists in PKCS#12 parsing code where\nan ASN1_TYPE union member is accessed without first validating the type,\ncausing an invalid pointer read.\n\nThe location is constrained to a 1-byte address space, meaning any\nattempted pointer manipulation can only target addresses between 0x00 and 0xFF.\nThis range corresponds to the zero page, which is unmapped on most modern\noperating systems and will reliably result in a crash, leading only to a\nDenial of Service. Exploiting this issue also requires a user or application\nto process a maliciously crafted PKCS#12 file. It is uncommon to accept\nuntrusted PKCS#12 files in applications as they are usually used to store\nprivate keys which are trusted by definition. For these reasons, the issue\nwas assessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22795", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22795.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22795", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22795" ], "PublishedDate": "2026-01-27T16:16:35.43Z", "LastModifiedDate": "2026-02-02T18:41:14.917Z" }, { "VulnerabilityID": "CVE-2026-22796", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22796", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:b99c8ca022d35040586b636110f1b7e2247ef02a229416d5926f566a08ee4607", "Title": "openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification", "Description": "Issue summary: A type confusion vulnerability exists in the signature\nverification of signed PKCS#7 data where an ASN1_TYPE union member is\naccessed without first validating the type, causing an invalid or NULL\npointer dereference when processing malformed PKCS#7 data.\n\nImpact summary: An application performing signature verification of PKCS#7\ndata or calling directly the PKCS7_digest_from_attributes() function can be\ncaused to dereference an invalid or NULL pointer when reading, resulting in\na Denial of Service.\n\nThe function PKCS7_digest_from_attributes() accesses the message digest attribute\nvalue without validating its type. When the type is not V_ASN1_OCTET_STRING,\nthis results in accessing invalid memory through the ASN1_TYPE union, causing\na crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nsigned PKCS#7 to an application that verifies it. The impact of the\nexploit is just a Denial of Service, the PKCS7 API is legacy and applications\nshould be using the CMS API instead. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#7 parsing implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-754" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 2, "cbl-mariner": 2, "oracle-oval": 3, "photon": 2, "redhat": 1, "rocky": 3, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1473", "https://access.redhat.com/security/cve/CVE-2026-22796", "https://bugzilla.redhat.com/2430375", "https://bugzilla.redhat.com/2430376", "https://bugzilla.redhat.com/2430377", "https://bugzilla.redhat.com/2430378", "https://bugzilla.redhat.com/2430379", "https://bugzilla.redhat.com/2430380", "https://bugzilla.redhat.com/2430381", "https://bugzilla.redhat.com/2430386", "https://bugzilla.redhat.com/2430387", "https://bugzilla.redhat.com/2430388", "https://bugzilla.redhat.com/2430389", "https://bugzilla.redhat.com/2430390", "https://bugzilla.redhat.com/show_bug.cgi?id=2430375", "https://bugzilla.redhat.com/show_bug.cgi?id=2430376", "https://bugzilla.redhat.com/show_bug.cgi?id=2430377", "https://bugzilla.redhat.com/show_bug.cgi?id=2430378", "https://bugzilla.redhat.com/show_bug.cgi?id=2430379", "https://bugzilla.redhat.com/show_bug.cgi?id=2430380", "https://bugzilla.redhat.com/show_bug.cgi?id=2430381", "https://bugzilla.redhat.com/show_bug.cgi?id=2430386", "https://bugzilla.redhat.com/show_bug.cgi?id=2430387", "https://bugzilla.redhat.com/show_bug.cgi?id=2430388", "https://bugzilla.redhat.com/show_bug.cgi?id=2430389", "https://bugzilla.redhat.com/show_bug.cgi?id=2430390", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11187", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15467", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15468", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15469", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66199", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68160", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69418", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69419", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69420", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69421", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22795", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22796", "https://errata.almalinux.org/9/ALSA-2026-1473.html", "https://errata.rockylinux.org/RLSA-2026:1473", "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4", "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49", "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12", "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e", "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2", "https://linux.oracle.com/cve/CVE-2026-22796.html", "https://linux.oracle.com/errata/ELSA-2026-50081.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-22796", "https://openssl-library.org/news/secadv/20260127.txt", "https://ubuntu.com/security/notices/USN-7980-1", "https://ubuntu.com/security/notices/USN-7980-2", "https://www.cve.org/CVERecord?id=CVE-2026-22796" ], "PublishedDate": "2026-01-27T16:16:35.543Z", "LastModifiedDate": "2026-02-02T18:40:27.467Z" }, { "VulnerabilityID": "CVE-2026-2673", "PkgID": "openssl@3.6.0-r6", "PkgName": "openssl", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201", "UID": "33ccb52a3220a528", "BOMRef": "pkg:apk/wolfi/openssl@3.6.0-r6?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.6.0-r6", "FixedVersion": "3.6.1-r3", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2673", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:1e00ce96fed4aaf8636066f5bca612b3adefe86879a2ab05a2c22ee33b16cc36", "Title": "openssl: OpenSSL TLS 1.3 server may choose unexpected key agreement group", "Description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected\npreferred key exchange group when its key exchange group configuration includes\nthe default by using the 'DEFAULT' keyword.\n\nImpact summary: A less preferred key exchange may be used even when a more\npreferred group is supported by both client and server, if the group\nwas not included among the client's initial predicated keyshares.\nThis will sometimes be the case with the new hybrid post-quantum groups,\nif the client chooses to defer their use until specifically requested by\nthe server.\n\nIf an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to\ninterpolate the built-in default group list into its own configuration, perhaps\nadding or removing specific elements, then an implementation defect causes the\n'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups\nwere treated as a single sufficiently secure 'tuple', with the server not\nsending a Hello Retry Request (HRR) even when a group in a more preferred tuple\nwas mutually supported.\n\nAs a result, the client and server might fail to negotiate a mutually supported\npost-quantum key agreement group, such as 'X25519MLKEM768', if the client's\nconfiguration results in only 'classical' groups (such as 'X25519' being the\nonly ones in the client's initial keyshare prediction).\n\nOpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS\n1.3 key agreement group on TLS servers. The old syntax had a single 'flat'\nlist of groups, and treated all the supported groups as sufficiently secure.\nIf any of the keyshares predicted by the client were supported by the server\nthe most preferred among these was selected, even if other groups supported by\nthe client, but not included in the list of predicted keyshares would have been\nmore preferred, if included.\n\nThe new syntax partitions the groups into distinct 'tuples' of roughly\nequivalent security. Within each tuple the most preferred group included among\nthe client's predicted keyshares is chosen, but if the client supports a group\nfrom a more preferred tuple, but did not predict any corresponding keyshares,\nthe server will ask the client to retry the ClientHello (by issuing a Hello\nRetry Request or HRR) with the most preferred mutually supported group.\n\nThe above works as expected when the server's configuration uses the built-in\ndefault group list, or explicitly defines its own list by directly defining the\nvarious desired groups and group 'tuples'.\n\nNo OpenSSL FIPS modules are affected by this issue, the code in question lies\noutside the FIPS boundary.\n\nOpenSSL 3.6 and 3.5 are vulnerable to this issue.\n\nOpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.\nOpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.\n\nOpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "Severity": "LOW", "CweIDs": [ "CWE-757" ], "VendorSeverity": { "amazon": 1, "redhat": 1, "ubuntu": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/13/3", "https://access.redhat.com/security/cve/CVE-2026-2673", "https://github.com/openssl/openssl/commit/2157c9d81f7b0bd7dfa25b960e928ec28e8dd63f", "https://github.com/openssl/openssl/commit/85977e013f32ceb96aa034c0e741adddc1a05e34", "https://nvd.nist.gov/vuln/detail/CVE-2026-2673", "https://openssl-library.org/news/secadv/20260313.txt", "https://www.cve.org/CVERecord?id=CVE-2026-2673" ], "PublishedDate": "2026-03-13T19:54:34.033Z", "LastModifiedDate": "2026-03-17T18:16:15.6Z" }, { "VulnerabilityID": "CVE-2026-23949", "PkgID": "py3.13-setuptools@80.9.0-r4", "PkgName": "py3.13-setuptools", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201", "UID": "7671f43b0dd5e463", "BOMRef": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "80.9.0-r4", "FixedVersion": "80.10.1-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23949", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:aa6f9a003cb6a64cb44ce26f94cf4f5208a8b87fb4c200cc2e942adac561eadc", "Title": "jaraco.context: jaraco.context: Path traversal via malicious tar archives", "Description": "jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "ghsa": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-23949", "https://github.com/jaraco/jaraco.context", "https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91", "https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9", "https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2", "https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76", "https://nvd.nist.gov/vuln/detail/CVE-2026-23949", "https://ubuntu.com/security/notices/USN-7979-1", "https://www.cve.org/CVERecord?id=CVE-2026-23949" ], "PublishedDate": "2026-01-20T01:15:57.723Z", "LastModifiedDate": "2026-03-11T23:12:19.323Z" }, { "VulnerabilityID": "CVE-2026-24049", "PkgID": "py3.13-setuptools@80.9.0-r4", "PkgName": "py3.13-setuptools", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201", "UID": "7671f43b0dd5e463", "BOMRef": "pkg:apk/wolfi/py3.13-setuptools@80.9.0-r4?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "80.9.0-r4", "FixedVersion": "80.10.2-r0", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24049", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:e652b700442c287e6a187b8a8275cf7630564c6c92f49c4f26f21bcf3c257a38", "Title": "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking", "Description": "wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.", "Severity": "MEDIUM", "CweIDs": [ "CWE-22", "CWE-732" ], "VendorSeverity": { "alma": 3, "amazon": 3, "ghsa": 3, "nvd": 2, "oracle-oval": 3, "redhat": 3, "rocky": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "V3Score": 7.1 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "V3Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "V3Score": 7.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:1939", "https://access.redhat.com/security/cve/CVE-2026-24049", "https://bugzilla.redhat.com/2431959", "https://bugzilla.redhat.com/show_bug.cgi?id=2431959", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24049", "https://errata.almalinux.org/9/ALSA-2026-1939.html", "https://errata.rockylinux.org/RLSA-2026:1939", "https://github.com/pypa/wheel", "https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef", "https://github.com/pypa/wheel/commit/934fe177ff912c8e03d5ae951d3805e1fd90ba5e", "https://github.com/pypa/wheel/releases/tag/0.46.2", "https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx", "https://linux.oracle.com/cve/CVE-2026-24049.html", "https://linux.oracle.com/errata/ELSA-2026-2090.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-24049", "https://www.cve.org/CVERecord?id=CVE-2026-24049" ], "PublishedDate": "2026-01-22T05:16:23.157Z", "LastModifiedDate": "2026-02-18T14:56:48.657Z" }, { "VulnerabilityID": "CVE-2026-1299", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-1299", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:3eefc9a09d651e3ca24039bd9e97f90fdd18b37e245ec93f7971befc232c92e4", "Title": "cpython: email header injection due to unquoted newlines", "Description": "The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "Severity": "HIGH", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "alma": 2, "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "oracle-oval": 2, "redhat": 2, "rocky": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "V3Score": 7.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4216", "https://access.redhat.com/security/cve/CVE-2026-1299", "https://bugzilla.redhat.com/2431368", "https://bugzilla.redhat.com/2431373", "https://bugzilla.redhat.com/2432437", "https://bugzilla.redhat.com/show_bug.cgi?id=2431367", "https://bugzilla.redhat.com/show_bug.cgi?id=2431368", "https://bugzilla.redhat.com/show_bug.cgi?id=2431373", "https://bugzilla.redhat.com/show_bug.cgi?id=2432437", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15366", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15367", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0865", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1299", "https://cve.org/CVERecord?id=CVE-2024-6923", "https://errata.almalinux.org/9/ALSA-2026-4216.html", "https://errata.rockylinux.org/RLSA-2026:4168", "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413", "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8", "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9", "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4", "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36", "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a", "https://github.com/python/cpython/issues/144125", "https://github.com/python/cpython/pull/144126", "https://linux.oracle.com/cve/CVE-2026-1299.html", "https://linux.oracle.com/errata/ELSA-2026-4713.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/", "https://nvd.nist.gov/vuln/detail/CVE-2026-1299", "https://www.cve.org/CVERecord?id=CVE-2026-1299" ], "PublishedDate": "2026-01-23T17:16:12.977Z", "LastModifiedDate": "2026-02-13T17:16:12.943Z" }, { "VulnerabilityID": "CVE-2026-4519", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r5", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4519", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:87b780d276db419f5855c5087669052561545eb385ce327a9b2caba682940690", "Title": "python: Python: Command-line option injection in webbrowser.open() via crafted URLs", "Description": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().", "Severity": "HIGH", "CweIDs": [ "CWE-20" ], "VendorSeverity": { "alma": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 3, "photon": 3, "redhat": 3 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "V3Score": 7.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/20/1", "https://access.redhat.com/errata/RHSA-2026:6286", "https://access.redhat.com/security/cve/CVE-2026-4519", "https://bugzilla.redhat.com/2449649", "https://errata.almalinux.org/9/ALSA-2026-6286.html", "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866", "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b", "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76", "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5", "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48", "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03", "https://github.com/python/cpython/issues/143930", "https://github.com/python/cpython/pull/143931", "https://linux.oracle.com/cve/CVE-2026-4519.html", "https://linux.oracle.com/errata/ELSA-2026-6473.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/", "https://nvd.nist.gov/vuln/detail/CVE-2026-4519", "https://www.cve.org/CVERecord?id=CVE-2026-4519" ], "PublishedDate": "2026-03-20T15:16:24.057Z", "LastModifiedDate": "2026-03-25T18:16:33.073Z" }, { "VulnerabilityID": "CVE-2025-11468", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-11468", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:088c33c8923508597cb1883385de242a468305b8cad08c2adb7a4dfe85fb1ed4", "Title": "cpython: Missing character filtering in Python", "Description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "azure": 2, "bitnami": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 5.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-11468", "https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094", "https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2", "https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6", "https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66", "https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0", "https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796", "https://github.com/python/cpython/issues/143935", "https://github.com/python/cpython/pull/143936", "https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/", "https://nvd.nist.gov/vuln/detail/CVE-2025-11468", "https://ubuntu.com/security/notices/USN-8018-1", "https://www.cve.org/CVERecord?id=CVE-2025-11468" ], "PublishedDate": "2026-01-20T22:15:50.69Z", "LastModifiedDate": "2026-03-03T15:16:13.803Z" }, { "VulnerabilityID": "CVE-2025-15282", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15282", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:1b963dc3c0a7d4117eaac2dd4e18d20c4a6ad7bb030c997702724cfe3c816b88", "Title": "cpython: Header injection via newlines in data URL mediatype in Python", "Description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "bitnami": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-15282", "https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0", "https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38", "https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80", "https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47", "https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a", "https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f", "https://github.com/python/cpython/issues/143925", "https://github.com/python/cpython/pull/143926", "https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/", "https://nvd.nist.gov/vuln/detail/CVE-2025-15282", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2025-15282" ], "PublishedDate": "2026-01-20T22:15:50.883Z", "LastModifiedDate": "2026-01-26T15:16:06.62Z" }, { "VulnerabilityID": "CVE-2026-0672", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0672", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:68c76114e6d4b3a4197384124e0c7e9d8777b7b1083a91cdd96062356e2fa3a9", "Title": "cpython: Header injection in http.cookies.Morsel in Python", "Description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-0672", "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172", "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440", "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d", "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca", "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70", "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85", "https://github.com/python/cpython/issues/143919", "https://github.com/python/cpython/pull/143920", "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/", "https://nvd.nist.gov/vuln/detail/CVE-2026-0672", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2026-0672" ], "PublishedDate": "2026-01-20T22:15:52.68Z", "LastModifiedDate": "2026-01-26T15:16:07.033Z" }, { "VulnerabilityID": "CVE-2026-0865", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0865", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:457672fcc050db86786f704a356abe4f0bd2d40d0ec82c169b6531ef8e37a091", "Title": "cpython: wsgiref.headers.Headers allows header newline injection in Python", "Description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "Severity": "MEDIUM", "CweIDs": [ "CWE-74" ], "VendorSeverity": { "alma": 2, "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "oracle-oval": 2, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 5.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4168", "https://access.redhat.com/security/cve/CVE-2026-0865", "https://bugzilla.redhat.com/2431368", "https://bugzilla.redhat.com/2431373", "https://bugzilla.redhat.com/2432437", "https://bugzilla.redhat.com/show_bug.cgi?id=2431367", "https://bugzilla.redhat.com/show_bug.cgi?id=2431368", "https://bugzilla.redhat.com/show_bug.cgi?id=2431373", "https://bugzilla.redhat.com/show_bug.cgi?id=2432437", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15366", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15367", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0865", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1299", "https://errata.almalinux.org/9/ALSA-2026-4168.html", "https://errata.rockylinux.org/RLSA-2026:4168", "https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58", "https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510", "https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f", "https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2", "https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5", "https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6", "https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff", "https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97", "https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf", "https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219", "https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995", "https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211", "https://github.com/python/cpython/issues/143916", "https://github.com/python/cpython/pull/143917", "https://linux.oracle.com/cve/CVE-2026-0865.html", "https://linux.oracle.com/errata/ELSA-2026-4713.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/", "https://nvd.nist.gov/vuln/detail/CVE-2026-0865", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2026-0865" ], "PublishedDate": "2026-01-20T22:15:52.8Z", "LastModifiedDate": "2026-03-03T15:16:17.59Z" }, { "VulnerabilityID": "CVE-2026-3644", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r7", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3644", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:c8d28294195177e8978693f3e7449f371b6920b645807f0340ba34d231ce54bc", "Title": "cpython: Incomplete control character validation in http.cookies", "Description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-116" ], "VendorSeverity": { "amazon": 2, "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "V3Score": 5.4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3644", "https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4", "https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd", "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd", "https://github.com/python/cpython/issues/145599", "https://github.com/python/cpython/pull/145600", "https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/", "https://nvd.nist.gov/vuln/detail/CVE-2026-3644", "https://www.cve.org/CVERecord?id=CVE-2026-3644" ], "PublishedDate": "2026-03-16T18:16:09.907Z", "LastModifiedDate": "2026-03-17T14:20:01.67Z" }, { "VulnerabilityID": "CVE-2026-4224", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r7", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4224", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:4f0e5b90d3295d94057f035b88055b1b7a587c5cbb3aacb95d5b07a3a8af2bd8", "Title": "cpython: Stack overflow parsing XML with deeply nested DTD content models", "Description": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "amazon": 2, "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/16/4", "https://access.redhat.com/security/cve/CVE-2026-4224", "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a", "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3", "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768", "https://github.com/python/cpython/issues/145986", "https://github.com/python/cpython/pull/145987", "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/", "https://nvd.nist.gov/vuln/detail/CVE-2026-4224", "https://www.cve.org/CVERecord?id=CVE-2026-4224" ], "PublishedDate": "2026-03-16T18:16:10.07Z", "LastModifiedDate": "2026-03-17T14:20:01.67Z" }, { "VulnerabilityID": "CVE-2026-2297", "PkgID": "python-3.13@3.13.11-r2", "PkgName": "python-3.13", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "c546fcf7d1b404b7", "BOMRef": "pkg:apk/wolfi/python-3.13@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r3", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2297", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:85c7d30421e8d80c6bd32528060f82894c764a80e0aa520674ea300884364325", "Title": "cpython: CPython: Logging Bypass in Legacy .pyc File Handling", "Description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "Severity": "LOW", "CweIDs": [ "CWE-668" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/05/6", "https://access.redhat.com/security/cve/CVE-2026-2297", "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e", "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e", "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86", "https://github.com/python/cpython/issues/145506", "https://github.com/python/cpython/pull/145507", "https://nvd.nist.gov/vuln/detail/CVE-2026-2297", "https://www.cve.org/CVERecord?id=CVE-2026-2297" ], "PublishedDate": "2026-03-04T23:16:10.757Z", "LastModifiedDate": "2026-03-12T15:16:27.957Z" }, { "VulnerabilityID": "CVE-2026-1299", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-1299", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:8e430ad2d48ea0a14df2351e4fa95d2e264f24973aef54001bd3efa3352a5b9b", "Title": "cpython: email header injection due to unquoted newlines", "Description": "The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "Severity": "HIGH", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "alma": 2, "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "oracle-oval": 2, "redhat": 2, "rocky": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "V3Score": 7.1 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4216", "https://access.redhat.com/security/cve/CVE-2026-1299", "https://bugzilla.redhat.com/2431368", "https://bugzilla.redhat.com/2431373", "https://bugzilla.redhat.com/2432437", "https://bugzilla.redhat.com/show_bug.cgi?id=2431367", "https://bugzilla.redhat.com/show_bug.cgi?id=2431368", "https://bugzilla.redhat.com/show_bug.cgi?id=2431373", "https://bugzilla.redhat.com/show_bug.cgi?id=2432437", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15366", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15367", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0865", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1299", "https://cve.org/CVERecord?id=CVE-2024-6923", "https://errata.almalinux.org/9/ALSA-2026-4216.html", "https://errata.rockylinux.org/RLSA-2026:4168", "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413", "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8", "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9", "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4", "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36", "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a", "https://github.com/python/cpython/issues/144125", "https://github.com/python/cpython/pull/144126", "https://linux.oracle.com/cve/CVE-2026-1299.html", "https://linux.oracle.com/errata/ELSA-2026-4713.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/", "https://nvd.nist.gov/vuln/detail/CVE-2026-1299", "https://www.cve.org/CVERecord?id=CVE-2026-1299" ], "PublishedDate": "2026-01-23T17:16:12.977Z", "LastModifiedDate": "2026-02-13T17:16:12.943Z" }, { "VulnerabilityID": "CVE-2026-4519", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r5", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4519", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:f07cb764ee6047ca65f24b1f1fb896d7a669d45f00c327a8a04d5b02b9e65139", "Title": "python: Python: Command-line option injection in webbrowser.open() via crafted URLs", "Description": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().", "Severity": "HIGH", "CweIDs": [ "CWE-20" ], "VendorSeverity": { "alma": 3, "azure": 3, "cbl-mariner": 3, "oracle-oval": 3, "photon": 3, "redhat": 3 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "V3Score": 7.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/20/1", "https://access.redhat.com/errata/RHSA-2026:6286", "https://access.redhat.com/security/cve/CVE-2026-4519", "https://bugzilla.redhat.com/2449649", "https://errata.almalinux.org/9/ALSA-2026-6286.html", "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866", "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b", "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76", "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5", "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48", "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03", "https://github.com/python/cpython/issues/143930", "https://github.com/python/cpython/pull/143931", "https://linux.oracle.com/cve/CVE-2026-4519.html", "https://linux.oracle.com/errata/ELSA-2026-6473.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/", "https://nvd.nist.gov/vuln/detail/CVE-2026-4519", "https://www.cve.org/CVERecord?id=CVE-2026-4519" ], "PublishedDate": "2026-03-20T15:16:24.057Z", "LastModifiedDate": "2026-03-25T18:16:33.073Z" }, { "VulnerabilityID": "CVE-2025-11468", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-11468", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:5bceec55d1643c4f67ffe6988f5e52b4ce7d986fa3c5247be666d4dd172710d7", "Title": "cpython: Missing character filtering in Python", "Description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "azure": 2, "bitnami": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 5.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-11468", "https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094", "https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2", "https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6", "https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66", "https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0", "https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796", "https://github.com/python/cpython/issues/143935", "https://github.com/python/cpython/pull/143936", "https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/", "https://nvd.nist.gov/vuln/detail/CVE-2025-11468", "https://ubuntu.com/security/notices/USN-8018-1", "https://www.cve.org/CVERecord?id=CVE-2025-11468" ], "PublishedDate": "2026-01-20T22:15:50.69Z", "LastModifiedDate": "2026-03-03T15:16:13.803Z" }, { "VulnerabilityID": "CVE-2025-15282", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-15282", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:028e39de98f53fae311e56e9d1c327597e0f1f0072278e3c59ddafd932e2a3a8", "Title": "cpython: Header injection via newlines in data URL mediatype in Python", "Description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "bitnami": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-15282", "https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0", "https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38", "https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80", "https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47", "https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a", "https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f", "https://github.com/python/cpython/issues/143925", "https://github.com/python/cpython/pull/143926", "https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/", "https://nvd.nist.gov/vuln/detail/CVE-2025-15282", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2025-15282" ], "PublishedDate": "2026-01-20T22:15:50.883Z", "LastModifiedDate": "2026-01-26T15:16:06.62Z" }, { "VulnerabilityID": "CVE-2026-0672", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0672", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:65ad45ac21bf7b20123095f5b479786d90567e9eca84f26bec7e71ce7fd6ff92", "Title": "cpython: Header injection in http.cookies.Morsel in Python", "Description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "Severity": "MEDIUM", "CweIDs": [ "CWE-93" ], "VendorSeverity": { "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "redhat": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-0672", "https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172", "https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440", "https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d", "https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca", "https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70", "https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85", "https://github.com/python/cpython/issues/143919", "https://github.com/python/cpython/pull/143920", "https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/", "https://nvd.nist.gov/vuln/detail/CVE-2026-0672", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2026-0672" ], "PublishedDate": "2026-01-20T22:15:52.68Z", "LastModifiedDate": "2026-01-26T15:16:07.033Z" }, { "VulnerabilityID": "CVE-2026-0865", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r1", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0865", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:0d4207d9081914252190191686cb4cf624d2557fc189d89863db5efef19419ee", "Title": "cpython: wsgiref.headers.Headers allows header newline injection in Python", "Description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "Severity": "MEDIUM", "CweIDs": [ "CWE-74" ], "VendorSeverity": { "alma": 2, "amazon": 2, "azure": 2, "bitnami": 2, "cbl-mariner": 2, "oracle-oval": 2, "redhat": 2, "rocky": 2, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V40Score": 5.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:4168", "https://access.redhat.com/security/cve/CVE-2026-0865", "https://bugzilla.redhat.com/2431368", "https://bugzilla.redhat.com/2431373", "https://bugzilla.redhat.com/2432437", "https://bugzilla.redhat.com/show_bug.cgi?id=2431367", "https://bugzilla.redhat.com/show_bug.cgi?id=2431368", "https://bugzilla.redhat.com/show_bug.cgi?id=2431373", "https://bugzilla.redhat.com/show_bug.cgi?id=2432437", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15366", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-15367", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0865", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1299", "https://errata.almalinux.org/9/ALSA-2026-4168.html", "https://errata.rockylinux.org/RLSA-2026:4168", "https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58", "https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510", "https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f", "https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2", "https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5", "https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6", "https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff", "https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97", "https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf", "https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219", "https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995", "https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211", "https://github.com/python/cpython/issues/143916", "https://github.com/python/cpython/pull/143917", "https://linux.oracle.com/cve/CVE-2026-0865.html", "https://linux.oracle.com/errata/ELSA-2026-4713.html", "https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/", "https://nvd.nist.gov/vuln/detail/CVE-2026-0865", "https://ubuntu.com/security/notices/USN-8018-1", "https://ubuntu.com/security/notices/USN-8018-3", "https://www.cve.org/CVERecord?id=CVE-2026-0865" ], "PublishedDate": "2026-01-20T22:15:52.8Z", "LastModifiedDate": "2026-03-03T15:16:17.59Z" }, { "VulnerabilityID": "CVE-2026-3644", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r7", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3644", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:b69bb77d1b3f9a86c0d8ea2f4091b0a005a9cc5d1a0d8451c11ee859e1684217", "Title": "cpython: Incomplete control character validation in http.cookies", "Description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-116" ], "VendorSeverity": { "amazon": 2, "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "V3Score": 5.4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3644", "https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4", "https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd", "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd", "https://github.com/python/cpython/issues/145599", "https://github.com/python/cpython/pull/145600", "https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/", "https://nvd.nist.gov/vuln/detail/CVE-2026-3644", "https://www.cve.org/CVERecord?id=CVE-2026-3644" ], "PublishedDate": "2026-03-16T18:16:09.907Z", "LastModifiedDate": "2026-03-17T14:20:01.67Z" }, { "VulnerabilityID": "CVE-2026-4224", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r7", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4224", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:d2f08ccbcb7d6b2dbdddf1329e440304671c73b00cd36d1d23fd76631d13cb36", "Title": "cpython: Stack overflow parsing XML with deeply nested DTD content models", "Description": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "amazon": 2, "redhat": 2 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/16/4", "https://access.redhat.com/security/cve/CVE-2026-4224", "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a", "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3", "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768", "https://github.com/python/cpython/issues/145986", "https://github.com/python/cpython/pull/145987", "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R/", "https://nvd.nist.gov/vuln/detail/CVE-2026-4224", "https://www.cve.org/CVERecord?id=CVE-2026-4224" ], "PublishedDate": "2026-03-16T18:16:10.07Z", "LastModifiedDate": "2026-03-17T14:20:01.67Z" }, { "VulnerabilityID": "CVE-2026-2297", "PkgID": "python-3.13-base@3.13.11-r2", "PkgName": "python-3.13-base", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201", "UID": "76ccde4e5caeebb", "BOMRef": "pkg:apk/wolfi/python-3.13-base@3.13.11-r2?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "3.13.11-r2", "FixedVersion": "3.13.12-r3", "Status": "fixed", "Layer": { "Digest": "sha256:e88ffa986d5437f02f30a66d99a22adc982eb33a5694321f2bf9bafa4933a759", "DiffID": "sha256:20b6c134e29a3293d8296715c4572ad08361a1c2724523e80487f232d517f5b4" }, "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2297", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:711f7cba3319f8efb8ee12795f60c78e69a117ec35cb5c56149351e7966578c0", "Title": "cpython: CPython: Logging Bypass in Legacy .pyc File Handling", "Description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "Severity": "LOW", "CweIDs": [ "CWE-668" ], "VendorSeverity": { "redhat": 1 }, "CVSS": { "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/05/6", "https://access.redhat.com/security/cve/CVE-2026-2297", "https://github.com/python/cpython/commit/482d6f8bdba9da3725d272e8bb4a2d25fb6a603e", "https://github.com/python/cpython/commit/a51b1b512de1d56b3714b65628a2eae2b07e535e", "https://github.com/python/cpython/commit/e58e9802b9bec5cdbf48fc9bf1da5f4fda482e86", "https://github.com/python/cpython/issues/145506", "https://github.com/python/cpython/pull/145507", "https://nvd.nist.gov/vuln/detail/CVE-2026-2297", "https://www.cve.org/CVERecord?id=CVE-2026-2297" ], "PublishedDate": "2026-03-04T23:16:10.757Z", "LastModifiedDate": "2026-03-12T15:16:27.957Z" }, { "VulnerabilityID": "CVE-2026-27171", "PkgID": "zlib@1.3.1.2-r1", "PkgName": "zlib", "PkgIdentifier": { "PURL": "pkg:apk/wolfi/zlib@1.3.1.2-r1?arch=x86_64\u0026distro=20230201", "UID": "d9c9357d2b1de8c9", "BOMRef": "pkg:apk/wolfi/zlib@1.3.1.2-r1?arch=x86_64\u0026distro=20230201" }, "InstalledVersion": "1.3.1.2-r1", "FixedVersion": "1.3.2-r0", "Status": "fixed", "Layer": { "Digest": "sha256:7c9a487ed6faf9893d87deeb23f0fe3f2b7f1b8a3121a18dd72584e427c066be", "DiffID": "sha256:1fee5809205cb8bb72f000e4f3450f72ec540d082261fae2d874afdf2cfb1af8" }, "SeveritySource": "nvd", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27171", "DataSource": { "ID": "wolfi", "Name": "Wolfi Secdb", "URL": "https://packages.wolfi.dev/os/security.json" }, "Fingerprint": "sha256:57287faf0e3d06cb347483e5de4c21c21c4990f8d2147798ac17bc10efe1f9d8", "Title": "zlib: zlib: Denial of Service via infinite loop in CRC32 combine functions", "Description": "zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1284" ], "VendorSeverity": { "azure": 1, "nvd": 2, "redhat": 1, "ubuntu": 1 }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.3 } }, "References": [ "https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/", "https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf", "https://access.redhat.com/security/cve/CVE-2026-27171", "https://github.com/madler/zlib/issues/904", "https://github.com/madler/zlib/releases/tag/v1.3.2", "https://nvd.nist.gov/vuln/detail/CVE-2026-27171", "https://ostif.org/zlib-audit-complete/", "https://www.cve.org/CVERecord?id=CVE-2026-27171" ], "PublishedDate": "2026-02-18T04:16:01.263Z", "LastModifiedDate": "2026-03-25T21:27:04.603Z" } ] }, { "Target": "Node.js", "Class": "lang-pkgs", "Type": "node-pkg", "Packages": [ { "ID": "@isaacs/balanced-match@4.0.1", "Name": "@isaacs/balanced-match", "Identifier": { "PURL": "pkg:npm/%40isaacs/balanced-match@4.0.1", "UID": "ec803816b2e42007", "BOMRef": "pkg:npm/%40isaacs/balanced-match@4.0.1" }, "Version": "4.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/balanced-match/package.json", "Digest": "sha1:17c25730c5cb82e1d4ee1c212f2b2588dd5a3781" }, { "ID": "@isaacs/brace-expansion@5.0.0", "Name": "@isaacs/brace-expansion", "Identifier": { "PURL": "pkg:npm/%40isaacs/brace-expansion@5.0.0", "UID": "5e247e096d36a4b2", "BOMRef": "pkg:npm/%40isaacs/brace-expansion@5.0.0" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/brace-expansion/package.json", "Digest": "sha1:2459cb4c8d448d170d5705d9e9c41bc0d8fca900" }, { "ID": "@isaacs/cliui@8.0.2", "Name": "@isaacs/cliui", "Identifier": { "PURL": "pkg:npm/%40isaacs/cliui@8.0.2", "UID": "7a97bda94f6d7ca5", "BOMRef": "pkg:npm/%40isaacs/cliui@8.0.2" }, "Version": "8.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/cliui/package.json", "Digest": "sha1:5f8f4c1e3bf1144f3a52c51bf040d843bb2a8b90" }, { "ID": "@isaacs/fs-minipass@4.0.1", "Name": "@isaacs/fs-minipass", "Identifier": { "PURL": "pkg:npm/%40isaacs/fs-minipass@4.0.1", "UID": "bc184ec1b9e28e0b", "BOMRef": "pkg:npm/%40isaacs/fs-minipass@4.0.1" }, "Version": "4.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/fs-minipass/package.json", "Digest": "sha1:504edba0a95630e08edf150335c2fe914825fc5a" }, { "ID": "@isaacs/string-locale-compare@1.1.0", "Name": "@isaacs/string-locale-compare", "Identifier": { "PURL": "pkg:npm/%40isaacs/string-locale-compare@1.1.0", "UID": "f040447de7a97e94", "BOMRef": "pkg:npm/%40isaacs/string-locale-compare@1.1.0" }, "Version": "1.1.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/string-locale-compare/package.json", "Digest": "sha1:9dc38644ea6f125e3b06825ff04df5ea22f56094" }, { "ID": "@npmcli/agent@3.0.0", "Name": "@npmcli/agent", "Identifier": { "PURL": "pkg:npm/%40npmcli/agent@3.0.0", "UID": "d06a94345c5cf464", "BOMRef": "pkg:npm/%40npmcli/agent@3.0.0" }, "Version": "3.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/@npmcli/agent/package.json", "Digest": "sha1:ca472993ec88d2b98a488f843d480575f24092f7" }, { "ID": "@npmcli/agent@4.0.0", "Name": "@npmcli/agent", "Identifier": { "PURL": "pkg:npm/%40npmcli/agent@4.0.0", "UID": "db4973d6b87a4c90", "BOMRef": "pkg:npm/%40npmcli/agent@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/agent/package.json", "Digest": "sha1:48e34f21103faf00d9c60756e62dee09494be465" }, { "ID": "@npmcli/arborist@9.1.6", "Name": "@npmcli/arborist", "Identifier": { "PURL": "pkg:npm/%40npmcli/arborist@9.1.6", "UID": "2c6b1813bff33a9b", "BOMRef": "pkg:npm/%40npmcli/arborist@9.1.6" }, "Version": "9.1.6", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/arborist/package.json", "Digest": "sha1:f33c67da757406439e5a8bb3b39996fa87d27dbf" }, { "ID": "@npmcli/config@10.4.2", "Name": "@npmcli/config", "Identifier": { "PURL": "pkg:npm/%40npmcli/config@10.4.2", "UID": "9a2bab39436bbfdb", "BOMRef": "pkg:npm/%40npmcli/config@10.4.2" }, "Version": "10.4.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/config/package.json", "Digest": "sha1:194b60a9b2b1b7d9c55bbde6f002e6f407c29753" }, { "ID": "@npmcli/fs@4.0.0", "Name": "@npmcli/fs", "Identifier": { "PURL": "pkg:npm/%40npmcli/fs@4.0.0", "UID": "bbb1f4acc894224a", "BOMRef": "pkg:npm/%40npmcli/fs@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/fs/package.json", "Digest": "sha1:cf0302511d637d6a1f8b5e49b3d9b42210c7b8f0" }, { "ID": "@npmcli/git@7.0.0", "Name": "@npmcli/git", "Identifier": { "PURL": "pkg:npm/%40npmcli/git@7.0.0", "UID": "d003404496f37865", "BOMRef": "pkg:npm/%40npmcli/git@7.0.0" }, "Version": "7.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/git/package.json", "Digest": "sha1:89602e9193afacae84abb1ceab33721b03fa29c6" }, { "ID": "@npmcli/installed-package-contents@3.0.0", "Name": "@npmcli/installed-package-contents", "Identifier": { "PURL": "pkg:npm/%40npmcli/installed-package-contents@3.0.0", "UID": "3de241f42f279b60", "BOMRef": "pkg:npm/%40npmcli/installed-package-contents@3.0.0" }, "Version": "3.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/installed-package-contents/package.json", "Digest": "sha1:eb7509c6d4a24822861ce30d6906b6bba7ea40c1" }, { "ID": "@npmcli/map-workspaces@5.0.0", "Name": "@npmcli/map-workspaces", "Identifier": { "PURL": "pkg:npm/%40npmcli/map-workspaces@5.0.0", "UID": "5330170c97bb0da9", "BOMRef": "pkg:npm/%40npmcli/map-workspaces@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/map-workspaces/package.json", "Digest": "sha1:7af92b48b9fde0f645832109b03656a17c015dc5" }, { "ID": "@npmcli/metavuln-calculator@9.0.2", "Name": "@npmcli/metavuln-calculator", "Identifier": { "PURL": "pkg:npm/%40npmcli/metavuln-calculator@9.0.2", "UID": "c9b7f7b0e92baaa9", "BOMRef": "pkg:npm/%40npmcli/metavuln-calculator@9.0.2" }, "Version": "9.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/package.json", "Digest": "sha1:8d3811d7a2b96bdeaccde89048f54f01885506ba" }, { "ID": "@npmcli/name-from-folder@3.0.0", "Name": "@npmcli/name-from-folder", "Identifier": { "PURL": "pkg:npm/%40npmcli/name-from-folder@3.0.0", "UID": "d333d3a32c2b279e", "BOMRef": "pkg:npm/%40npmcli/name-from-folder@3.0.0" }, "Version": "3.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/name-from-folder/package.json", "Digest": "sha1:2b6a54a8d10c9125e653dbe6f740e380324b61ba" }, { "ID": "@npmcli/node-gyp@4.0.0", "Name": "@npmcli/node-gyp", "Identifier": { "PURL": "pkg:npm/%40npmcli/node-gyp@4.0.0", "UID": "ee9236dc876a3b6b", "BOMRef": "pkg:npm/%40npmcli/node-gyp@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/node-gyp/package.json", "Digest": "sha1:a91f3ca2b970fb8453035a15ea7ae5a2c68859c1" }, { "ID": "@npmcli/package-json@7.0.1", "Name": "@npmcli/package-json", "Identifier": { "PURL": "pkg:npm/%40npmcli/package-json@7.0.1", "UID": "55819759c91ad4dc", "BOMRef": "pkg:npm/%40npmcli/package-json@7.0.1" }, "Version": "7.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/package-json/package.json", "Digest": "sha1:8dfa60053aeca0de1403eb7c517dafc86e7e3611" }, { "ID": "@npmcli/promise-spawn@8.0.3", "Name": "@npmcli/promise-spawn", "Identifier": { "PURL": "pkg:npm/%40npmcli/promise-spawn@8.0.3", "UID": "73a464edb1a92eed", "BOMRef": "pkg:npm/%40npmcli/promise-spawn@8.0.3" }, "Version": "8.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/package.json", "Digest": "sha1:5101b25f91ee7af2103b68a59b43b116bc4aaaad" }, { "ID": "@npmcli/query@4.0.1", "Name": "@npmcli/query", "Identifier": { "PURL": "pkg:npm/%40npmcli/query@4.0.1", "UID": "13b7da703ada06f1", "BOMRef": "pkg:npm/%40npmcli/query@4.0.1" }, "Version": "4.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/query/package.json", "Digest": "sha1:71d09c79da76d695099a90a592415e9c1440c5a1" }, { "ID": "@npmcli/redact@3.2.2", "Name": "@npmcli/redact", "Identifier": { "PURL": "pkg:npm/%40npmcli/redact@3.2.2", "UID": "7fd1fcb0f9f57c2d", "BOMRef": "pkg:npm/%40npmcli/redact@3.2.2" }, "Version": "3.2.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/redact/package.json", "Digest": "sha1:6f100bba733fae433b3156bd6a8a90249ffc5ecb" }, { "ID": "@npmcli/run-script@10.0.0", "Name": "@npmcli/run-script", "Identifier": { "PURL": "pkg:npm/%40npmcli/run-script@10.0.0", "UID": "4191f11fb1c5a67c", "BOMRef": "pkg:npm/%40npmcli/run-script@10.0.0" }, "Version": "10.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@npmcli/run-script/package.json", "Digest": "sha1:cdedbbbcbd429e634685f7c67d7069c6593b8006" }, { "ID": "@pkgjs/parseargs@0.11.0", "Name": "@pkgjs/parseargs", "Identifier": { "PURL": "pkg:npm/%40pkgjs/parseargs@0.11.0", "UID": "d0eedb6ca9de45e8", "BOMRef": "pkg:npm/%40pkgjs/parseargs@0.11.0" }, "Version": "0.11.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@pkgjs/parseargs/package.json", "Digest": "sha1:0dd3949ab9157869b8d3387f50a149bca2638d73" }, { "ID": "@prisma/client@5.4.2", "Name": "@prisma/client", "Identifier": { "PURL": "pkg:npm/%40prisma/client@5.4.2", "UID": "ba147343590d3324", "BOMRef": "pkg:npm/%40prisma/client@5.4.2" }, "Version": "5.4.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:ab7957019ca0985582e60811f248f83f2c11b6c0542fe90df14bed31af721a9e", "DiffID": "sha256:f16a4cff816ff065507de0d9c3f1656540ccb51cce36de166212349c1ec60824" }, "FilePath": "root/.cache/prisma-python/binaries/5.4.2/ac9d7041ed77bcc8a8dbd2ab6616b39013829574/node_modules/prisma/prisma-client/package.json", "Digest": "sha1:067a3cf4b08bb66df88691a278bd21a778474e60" }, { "ID": "@prisma/engines@5.4.2", "Name": "@prisma/engines", "Identifier": { "PURL": "pkg:npm/%40prisma/engines@5.4.2", "UID": "77a147382d199e42", "BOMRef": "pkg:npm/%40prisma/engines@5.4.2" }, "Version": "5.4.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:ab7957019ca0985582e60811f248f83f2c11b6c0542fe90df14bed31af721a9e", "DiffID": "sha256:f16a4cff816ff065507de0d9c3f1656540ccb51cce36de166212349c1ec60824" }, "FilePath": "root/.cache/prisma-python/binaries/5.4.2/ac9d7041ed77bcc8a8dbd2ab6616b39013829574/node_modules/@prisma/engines/package.json", "Digest": "sha1:27f640d9b356e0726de8c28f78eb8ad1c8bf1dd9" }, { "ID": "@sigstore/bundle@4.0.0", "Name": "@sigstore/bundle", "Identifier": { "PURL": "pkg:npm/%40sigstore/bundle@4.0.0", "UID": "9a853356961a11c8", "BOMRef": "pkg:npm/%40sigstore/bundle@4.0.0" }, "Version": "4.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/bundle/package.json", "Digest": "sha1:1d6ca2f018ec884e6df5424d8d7fc6818d64c3b4" }, { "ID": "@sigstore/core@3.0.0", "Name": "@sigstore/core", "Identifier": { "PURL": "pkg:npm/%40sigstore/core@3.0.0", "UID": "21391f370eeb2e78", "BOMRef": "pkg:npm/%40sigstore/core@3.0.0" }, "Version": "3.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/core/package.json", "Digest": "sha1:a3582aa64bea04fc99d1275aba7ebc582925a2c8" }, { "ID": "@sigstore/protobuf-specs@0.5.0", "Name": "@sigstore/protobuf-specs", "Identifier": { "PURL": "pkg:npm/%40sigstore/protobuf-specs@0.5.0", "UID": "ce839c4b60343bfa", "BOMRef": "pkg:npm/%40sigstore/protobuf-specs@0.5.0" }, "Version": "0.5.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/protobuf-specs/package.json", "Digest": "sha1:883da1dcb03a5b8e4ba41bd5e8db239c9c17392b" }, { "ID": "@sigstore/sign@4.0.1", "Name": "@sigstore/sign", "Identifier": { "PURL": "pkg:npm/%40sigstore/sign@4.0.1", "UID": "18547859ff204814", "BOMRef": "pkg:npm/%40sigstore/sign@4.0.1" }, "Version": "4.0.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/sign/package.json", "Digest": "sha1:4bec0011dd3d4f58a729b1a9e0e8e9592416f4b2" }, { "ID": "@sigstore/tuf@4.0.0", "Name": "@sigstore/tuf", "Identifier": { "PURL": "pkg:npm/%40sigstore/tuf@4.0.0", "UID": "e5b12d6aa0a7700", "BOMRef": "pkg:npm/%40sigstore/tuf@4.0.0" }, "Version": "4.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/tuf/package.json", "Digest": "sha1:3a59a8c16182f65f8cabbf98fee333c9eaa394f6" }, { "ID": "@sigstore/verify@3.0.0", "Name": "@sigstore/verify", "Identifier": { "PURL": "pkg:npm/%40sigstore/verify@3.0.0", "UID": "a7e4501778d6148e", "BOMRef": "pkg:npm/%40sigstore/verify@3.0.0" }, "Version": "3.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@sigstore/verify/package.json", "Digest": "sha1:fb4180fd0c6f2de9386fa2ef9929f4c1a6f00562" }, { "ID": "@tufjs/canonical-json@2.0.0", "Name": "@tufjs/canonical-json", "Identifier": { "PURL": "pkg:npm/%40tufjs/canonical-json@2.0.0", "UID": "dcaf5e557a77aa8", "BOMRef": "pkg:npm/%40tufjs/canonical-json@2.0.0" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/canonical-json/package.json", "Digest": "sha1:5af11d14b15be3f1dc8a1195100ea60de40325c9" }, { "ID": "@tufjs/models@4.0.0", "Name": "@tufjs/models", "Identifier": { "PURL": "pkg:npm/%40tufjs/models@4.0.0", "UID": "27f90dd74f2052ef", "BOMRef": "pkg:npm/%40tufjs/models@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/models/package.json", "Digest": "sha1:1630e9d321e28e965386e30f9d855f05b6278fa9" }, { "ID": "abbrev@3.0.1", "Name": "abbrev", "Identifier": { "PURL": "pkg:npm/abbrev@3.0.1", "UID": "8dd48661b2509fc1", "BOMRef": "pkg:npm/abbrev@3.0.1" }, "Version": "3.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/abbrev/package.json", "Digest": "sha1:58ff9d74c88270726b05e383ba4d2641a18438f3" }, { "ID": "agent-base@7.1.4", "Name": "agent-base", "Identifier": { "PURL": "pkg:npm/agent-base@7.1.4", "UID": "624bb46ccafa0f13", "BOMRef": "pkg:npm/agent-base@7.1.4" }, "Version": "7.1.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/agent-base/package.json", "Digest": "sha1:126adbedcff6faa6826eca63c75e9193237ab10b" }, { "ID": "ansi-regex@5.0.1", "Name": "ansi-regex", "Identifier": { "PURL": "pkg:npm/ansi-regex@5.0.1", "UID": "63ac4fa4d2169309", "BOMRef": "pkg:npm/ansi-regex@5.0.1" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ansi-regex/package.json", "Digest": "sha1:f1b78e043012e1ab5689d57377093e88f1400677" }, { "ID": "ansi-regex@6.2.2", "Name": "ansi-regex", "Identifier": { "PURL": "pkg:npm/ansi-regex@6.2.2", "UID": "32e3a65b9e13d21a", "BOMRef": "442df981-73e2-4fab-ab21-20ad48bc5c44" }, "Version": "6.2.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/ansi-regex/package.json", "Digest": "sha1:ce200865f7a4839de6213072c7986484139c50b1" }, { "ID": "ansi-regex@6.2.2", "Name": "ansi-regex", "Identifier": { "PURL": "pkg:npm/ansi-regex@6.2.2", "UID": "37324a5efb7f3dcb", "BOMRef": "761bc39a-2e09-470a-bc32-68c26d17cfd3" }, "Version": "6.2.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/ansi-regex/package.json", "Digest": "sha1:ce200865f7a4839de6213072c7986484139c50b1" }, { "ID": "ansi-styles@4.3.0", "Name": "ansi-styles", "Identifier": { "PURL": "pkg:npm/ansi-styles@4.3.0", "UID": "b1b20653a6cadc2e", "BOMRef": "pkg:npm/ansi-styles@4.3.0" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi-cjs/node_modules/ansi-styles/package.json", "Digest": "sha1:3c9ef7bd0a1c3d805814c654c457cc315c48c116" }, { "ID": "ansi-styles@6.2.3", "Name": "ansi-styles", "Identifier": { "PURL": "pkg:npm/ansi-styles@6.2.3", "UID": "5d80e3e684ad23d8", "BOMRef": "pkg:npm/ansi-styles@6.2.3" }, "Version": "6.2.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ansi-styles/package.json", "Digest": "sha1:adb4944aaa807d2d90a6d54e220759c3081c10d2" }, { "ID": "aproba@2.1.0", "Name": "aproba", "Identifier": { "PURL": "pkg:npm/aproba@2.1.0", "UID": "6ae9b955f0a91390", "BOMRef": "pkg:npm/aproba@2.1.0" }, "Version": "2.1.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/aproba/package.json", "Digest": "sha1:1cc57d456b29f580ef93bb2fee5566d3e3285009" }, { "ID": "archy@1.0.0", "Name": "archy", "Identifier": { "PURL": "pkg:npm/archy@1.0.0", "UID": "65e6beb83c4ad8fc", "BOMRef": "pkg:npm/archy@1.0.0" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/archy/package.json", "Digest": "sha1:3bd81e8f9d8e79057497b7473c6eac4f3d519149" }, { "ID": "balanced-match@1.0.2", "Name": "balanced-match", "Identifier": { "PURL": "pkg:npm/balanced-match@1.0.2", "UID": "589d12cfffd07720", "BOMRef": "pkg:npm/balanced-match@1.0.2" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/balanced-match/package.json", "Digest": "sha1:ef0a0d2fd68c3396309ab54ab08c5f8d362436ea" }, { "ID": "bin-links@5.0.0", "Name": "bin-links", "Identifier": { "PURL": "pkg:npm/bin-links@5.0.0", "UID": "ebb98498d37c1eb5", "BOMRef": "pkg:npm/bin-links@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/bin-links/package.json", "Digest": "sha1:7d183a1e12f89adf8e1b38038a8b34f9be897f40" }, { "ID": "binary-extensions@3.1.0", "Name": "binary-extensions", "Identifier": { "PURL": "pkg:npm/binary-extensions@3.1.0", "UID": "950bc98361d0ec82", "BOMRef": "pkg:npm/binary-extensions@3.1.0" }, "Version": "3.1.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/binary-extensions/package.json", "Digest": "sha1:fd41784d905c4769ecd7a2045234bf3336b20240" }, { "ID": "brace-expansion@2.0.2", "Name": "brace-expansion", "Identifier": { "PURL": "pkg:npm/brace-expansion@2.0.2", "UID": "535ea1a6cc3b3b4b", "BOMRef": "pkg:npm/brace-expansion@2.0.2" }, "Version": "2.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/brace-expansion/package.json", "Digest": "sha1:c2e8d8ccf674a808b63453e8432ae0f696375fbd" }, { "ID": "cacache@19.0.1", "Name": "cacache", "Identifier": { "PURL": "pkg:npm/cacache@19.0.1", "UID": "1a9b1ef96a5cb983", "BOMRef": "pkg:npm/cacache@19.0.1" }, "Version": "19.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/cacache/package.json", "Digest": "sha1:4bfa58e7ac62a86d0f86b54faa34f063f3344a61" }, { "ID": "cacache@20.0.1", "Name": "cacache", "Identifier": { "PURL": "pkg:npm/cacache@20.0.1", "UID": "81d4f7aaecef53ae", "BOMRef": "pkg:npm/cacache@20.0.1" }, "Version": "20.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cacache/package.json", "Digest": "sha1:1680c258e907f8a5844f3ddfd9334de3825ebf84" }, { "ID": "chalk@5.6.2", "Name": "chalk", "Identifier": { "PURL": "pkg:npm/chalk@5.6.2", "UID": "fe632621f6b5326c", "BOMRef": "pkg:npm/chalk@5.6.2" }, "Version": "5.6.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/chalk/package.json", "Digest": "sha1:468d2997b68c367664e82a1d1b8bc344c65a52f6" }, { "ID": "chownr@3.0.0", "Name": "chownr", "Identifier": { "PURL": "pkg:npm/chownr@3.0.0", "UID": "614828acd1fc4c2a", "BOMRef": "pkg:npm/chownr@3.0.0" }, "Version": "3.0.0", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/chownr/package.json", "Digest": "sha1:fc7d452c2e7e9b57f311b04f8b5826656ccc8e1b" }, { "ID": "ci-info@4.3.1", "Name": "ci-info", "Identifier": { "PURL": "pkg:npm/ci-info@4.3.1", "UID": "ba51212a0348b58a", "BOMRef": "pkg:npm/ci-info@4.3.1" }, "Version": "4.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ci-info/package.json", "Digest": "sha1:6b3b12a5534f6e76cb13a851250efc1bb7e5ff21" }, { "ID": "cidr-regex@5.0.1", "Name": "cidr-regex", "Identifier": { "PURL": "pkg:npm/cidr-regex@5.0.1", "UID": "8064a1496f4ef699", "BOMRef": "pkg:npm/cidr-regex@5.0.1" }, "Version": "5.0.1", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cidr-regex/package.json", "Digest": "sha1:472161dcb9eaebd9f280a0b36172ba21f93a9b86" }, { "ID": "cli-columns@4.0.0", "Name": "cli-columns", "Identifier": { "PURL": "pkg:npm/cli-columns@4.0.0", "UID": "2498f1b307d9ac29", "BOMRef": "pkg:npm/cli-columns@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cli-columns/package.json", "Digest": "sha1:06c7ce3d82ba512eafa34bab2566bcce77d4beb9" }, { "ID": "cmd-shim@7.0.0", "Name": "cmd-shim", "Identifier": { "PURL": "pkg:npm/cmd-shim@7.0.0", "UID": "73ee3b4450f24ac", "BOMRef": "pkg:npm/cmd-shim@7.0.0" }, "Version": "7.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cmd-shim/package.json", "Digest": "sha1:31d3d08612d9deeb670d074f68fd539f1bc62080" }, { "ID": "color-convert@2.0.1", "Name": "color-convert", "Identifier": { "PURL": "pkg:npm/color-convert@2.0.1", "UID": "96dfc3751742155c", "BOMRef": "pkg:npm/color-convert@2.0.1" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/color-convert/package.json", "Digest": "sha1:03f26ab8597e0117b7ad15bcfa9f0b31c8375ea9" }, { "ID": "color-name@1.1.4", "Name": "color-name", "Identifier": { "PURL": "pkg:npm/color-name@1.1.4", "UID": "d7a61b7839bccdec", "BOMRef": "pkg:npm/color-name@1.1.4" }, "Version": "1.1.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/color-name/package.json", "Digest": "sha1:411d7c87d5b1dec0d479aa13e3406b5c38ac34f5" }, { "ID": "common-ancestor-path@1.0.1", "Name": "common-ancestor-path", "Identifier": { "PURL": "pkg:npm/common-ancestor-path@1.0.1", "UID": "d0d054a69692ce7d", "BOMRef": "pkg:npm/common-ancestor-path@1.0.1" }, "Version": "1.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/common-ancestor-path/package.json", "Digest": "sha1:164a1acbc7cc3127c78c5da7b26667bf93b8b8c3" }, { "ID": "corepack@0.34.5", "Name": "corepack", "Identifier": { "PURL": "pkg:npm/corepack@0.34.5", "UID": "694eca174da87bd4", "BOMRef": "pkg:npm/corepack@0.34.5" }, "Version": "0.34.5", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/corepack/package.json", "Digest": "sha1:2c59efe8aa565dc3e10f82c7ab2d248e5d3e711f" }, { "ID": "cross-spawn@7.0.6", "Name": "cross-spawn", "Identifier": { "PURL": "pkg:npm/cross-spawn@7.0.6", "UID": "40adb9e8e5f3a77a", "BOMRef": "pkg:npm/cross-spawn@7.0.6" }, "Version": "7.0.6", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cross-spawn/package.json", "Digest": "sha1:9becaa8ecb51ad9b303dd62369423cb9f287163a" }, { "ID": "cssesc@3.0.0", "Name": "cssesc", "Identifier": { "PURL": "pkg:npm/cssesc@3.0.0", "UID": "e2c38afffc0afea3", "BOMRef": "pkg:npm/cssesc@3.0.0" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cssesc/package.json", "Digest": "sha1:3a37cece4f715e91ef0aed027baea0039bb20087" }, { "ID": "debug@4.4.3", "Name": "debug", "Identifier": { "PURL": "pkg:npm/debug@4.4.3", "UID": "1072640e3e83a266", "BOMRef": "pkg:npm/debug@4.4.3" }, "Version": "4.4.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/debug/package.json", "Digest": "sha1:f1c3de400f61581ce6d6d43f9ec4c456cb8017f7" }, { "ID": "diff@8.0.2", "Name": "diff", "Identifier": { "PURL": "pkg:npm/diff@8.0.2", "UID": "7bf48c71b3c5bd16", "BOMRef": "pkg:npm/diff@8.0.2" }, "Version": "8.0.2", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/diff/package.json", "Digest": "sha1:719cc8a399073fae18f522fc26e7058f2048cd43" }, { "ID": "eastasianwidth@0.2.0", "Name": "eastasianwidth", "Identifier": { "PURL": "pkg:npm/eastasianwidth@0.2.0", "UID": "81e73b167cca22be", "BOMRef": "pkg:npm/eastasianwidth@0.2.0" }, "Version": "0.2.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/eastasianwidth/package.json", "Digest": "sha1:c3bff6d91fcbc648b17edd5f8e37bac1f47485a4" }, { "ID": "emoji-regex@8.0.0", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@8.0.0", "UID": "d22339c0b23ef0a6", "BOMRef": "pkg:npm/emoji-regex@8.0.0" }, "Version": "8.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/emoji-regex/package.json", "Digest": "sha1:c26fe90da5886724a2676b8e3d5890beeacaad20" }, { "ID": "emoji-regex@9.2.2", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@9.2.2", "UID": "67c0acdb567d4dea", "BOMRef": "a8744cd0-78ff-4399-a104-097cde538742" }, "Version": "9.2.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/emoji-regex/package.json", "Digest": "sha1:238c48183550d02ab5c0dd37e13d57006dce640a" }, { "ID": "emoji-regex@9.2.2", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@9.2.2", "UID": "a872fe2d5c02e72a", "BOMRef": "ac5bce26-721c-4920-b241-83aa3607751a" }, "Version": "9.2.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/emoji-regex/package.json", "Digest": "sha1:238c48183550d02ab5c0dd37e13d57006dce640a" }, { "ID": "encoding@0.1.13", "Name": "encoding", "Identifier": { "PURL": "pkg:npm/encoding@0.1.13", "UID": "2bd5a240ae6fcf64", "BOMRef": "pkg:npm/encoding@0.1.13" }, "Version": "0.1.13", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/encoding/package.json", "Digest": "sha1:52b117f2bc3113970224b9dc97b7fc18f7df30ab" }, { "ID": "env-paths@2.2.1", "Name": "env-paths", "Identifier": { "PURL": "pkg:npm/env-paths@2.2.1", "UID": "16cc23182a9b8222", "BOMRef": "pkg:npm/env-paths@2.2.1" }, "Version": "2.2.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/env-paths/package.json", "Digest": "sha1:b5b570f41c1d3e8f251fd06d075cefea4a3449a9" }, { "ID": "err-code@2.0.3", "Name": "err-code", "Identifier": { "PURL": "pkg:npm/err-code@2.0.3", "UID": "fb2a3242f30cadba", "BOMRef": "pkg:npm/err-code@2.0.3" }, "Version": "2.0.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/err-code/package.json", "Digest": "sha1:5c7bc63340bc312d1563bb2b369e333e1165ab04" }, { "ID": "exponential-backoff@3.1.2", "Name": "exponential-backoff", "Identifier": { "PURL": "pkg:npm/exponential-backoff@3.1.2", "UID": "931691410f33f13", "BOMRef": "pkg:npm/exponential-backoff@3.1.2" }, "Version": "3.1.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/exponential-backoff/package.json", "Digest": "sha1:af54bb38a82b5a0d058c722fac83b3bf91fff3f5" }, { "ID": "fastest-levenshtein@1.0.16", "Name": "fastest-levenshtein", "Identifier": { "PURL": "pkg:npm/fastest-levenshtein@1.0.16", "UID": "a21656e790305908", "BOMRef": "pkg:npm/fastest-levenshtein@1.0.16" }, "Version": "1.0.16", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/fastest-levenshtein/package.json", "Digest": "sha1:3aca1160ba8ff112a40cdfd2c860a5d6cd689391" }, { "ID": "fdir@6.5.0", "Name": "fdir", "Identifier": { "PURL": "pkg:npm/fdir@6.5.0", "UID": "c7aeec6b637a1443", "BOMRef": "pkg:npm/fdir@6.5.0" }, "Version": "6.5.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tinyglobby/node_modules/fdir/package.json", "Digest": "sha1:87c30edff77dd2a0847ac92b0a76837682d64eb2" }, { "ID": "foreground-child@3.3.1", "Name": "foreground-child", "Identifier": { "PURL": "pkg:npm/foreground-child@3.3.1", "UID": "7a6f1737158d434f", "BOMRef": "pkg:npm/foreground-child@3.3.1" }, "Version": "3.3.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/foreground-child/package.json", "Digest": "sha1:ca2af14071df0e6084e5797f9fbcf179d51f9e5d" }, { "ID": "fs-minipass@3.0.3", "Name": "fs-minipass", "Identifier": { "PURL": "pkg:npm/fs-minipass@3.0.3", "UID": "29977d71ba543119", "BOMRef": "pkg:npm/fs-minipass@3.0.3" }, "Version": "3.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/fs-minipass/package.json", "Digest": "sha1:2e472ead48322dd560133d10f39db20ee5e3fae1" }, { "ID": "glob@10.4.5", "Name": "glob", "Identifier": { "PURL": "pkg:npm/glob@10.4.5", "UID": "6ea054fc5de229e9", "BOMRef": "pkg:npm/glob@10.4.5" }, "Version": "10.4.5", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob/package.json", "Digest": "sha1:fd815b4c5b195a178a7d55053a39c28202d6ce7c" }, { "ID": "glob@11.0.3", "Name": "glob", "Identifier": { "PURL": "pkg:npm/glob@11.0.3", "UID": "6b022e71675d53b8", "BOMRef": "pkg:npm/glob@11.0.3" }, "Version": "11.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/glob/package.json", "Digest": "sha1:d6ba1b347026dc0b03d5d5a448c2912a3d438e1d" }, { "ID": "graceful-fs@4.2.11", "Name": "graceful-fs", "Identifier": { "PURL": "pkg:npm/graceful-fs@4.2.11", "UID": "726e52d33740af92", "BOMRef": "pkg:npm/graceful-fs@4.2.11" }, "Version": "4.2.11", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/graceful-fs/package.json", "Digest": "sha1:21a733b3f7e2ee153041de90fb03d5596934f346" }, { "ID": "hosted-git-info@9.0.2", "Name": "hosted-git-info", "Identifier": { "PURL": "pkg:npm/hosted-git-info@9.0.2", "UID": "11917be485129c29", "BOMRef": "pkg:npm/hosted-git-info@9.0.2" }, "Version": "9.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/hosted-git-info/package.json", "Digest": "sha1:bd2953244687bfff7fdc74a3798a66119f64428e" }, { "ID": "http-cache-semantics@4.2.0", "Name": "http-cache-semantics", "Identifier": { "PURL": "pkg:npm/http-cache-semantics@4.2.0", "UID": "f89a12cd3bb1b44e", "BOMRef": "pkg:npm/http-cache-semantics@4.2.0" }, "Version": "4.2.0", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/http-cache-semantics/package.json", "Digest": "sha1:563b0d8af1a9641083e8f6cefbf4259fa845e7ca" }, { "ID": "http-proxy-agent@7.0.2", "Name": "http-proxy-agent", "Identifier": { "PURL": "pkg:npm/http-proxy-agent@7.0.2", "UID": "9e3ec0eff389aac7", "BOMRef": "pkg:npm/http-proxy-agent@7.0.2" }, "Version": "7.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/http-proxy-agent/package.json", "Digest": "sha1:f8b2b2bf2f3e2f8491496f9efe80b96442a803a9" }, { "ID": "https-proxy-agent@7.0.6", "Name": "https-proxy-agent", "Identifier": { "PURL": "pkg:npm/https-proxy-agent@7.0.6", "UID": "30d0169acb1b40e4", "BOMRef": "pkg:npm/https-proxy-agent@7.0.6" }, "Version": "7.0.6", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/https-proxy-agent/package.json", "Digest": "sha1:17ea193ab8be5c579a2d10e9a13bff389858f7e8" }, { "ID": "iconv-lite@0.6.3", "Name": "iconv-lite", "Identifier": { "PURL": "pkg:npm/iconv-lite@0.6.3", "UID": "64ed9b34fe6008a6", "BOMRef": "pkg:npm/iconv-lite@0.6.3" }, "Version": "0.6.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/iconv-lite/package.json", "Digest": "sha1:a3d90badf75db503f5dd3ff3fb76d120d1424978" }, { "ID": "ignore-walk@8.0.0", "Name": "ignore-walk", "Identifier": { "PURL": "pkg:npm/ignore-walk@8.0.0", "UID": "eb673b60992734a4", "BOMRef": "pkg:npm/ignore-walk@8.0.0" }, "Version": "8.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ignore-walk/package.json", "Digest": "sha1:48b090250976a784406de6d243cb8221ac357a08" }, { "ID": "imurmurhash@0.1.4", "Name": "imurmurhash", "Identifier": { "PURL": "pkg:npm/imurmurhash@0.1.4", "UID": "ee191dc8a1b6e500", "BOMRef": "pkg:npm/imurmurhash@0.1.4" }, "Version": "0.1.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/imurmurhash/package.json", "Digest": "sha1:a28f2b413385af4188c4fc0ad1e0c38c2cd03cf4" }, { "ID": "ini@5.0.0", "Name": "ini", "Identifier": { "PURL": "pkg:npm/ini@5.0.0", "UID": "e13809f048474918", "BOMRef": "pkg:npm/ini@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ini/package.json", "Digest": "sha1:6f82de9e6ee727a4e745446e6687d6dc4a13bc0f" }, { "ID": "init-package-json@8.2.2", "Name": "init-package-json", "Identifier": { "PURL": "pkg:npm/init-package-json@8.2.2", "UID": "7b0569dc8ce89f2a", "BOMRef": "pkg:npm/init-package-json@8.2.2" }, "Version": "8.2.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/init-package-json/package.json", "Digest": "sha1:fd90752e9caf5c625bc4f238dd7498c6e759f0a8" }, { "ID": "ip-address@10.0.1", "Name": "ip-address", "Identifier": { "PURL": "pkg:npm/ip-address@10.0.1", "UID": "97d641ba399e7c71", "BOMRef": "pkg:npm/ip-address@10.0.1" }, "Version": "10.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ip-address/package.json", "Digest": "sha1:c08d23fa891935fb24a5e1a07334197e8974138a" }, { "ID": "ip-regex@5.0.0", "Name": "ip-regex", "Identifier": { "PURL": "pkg:npm/ip-regex@5.0.0", "UID": "eb2f60969c0db15c", "BOMRef": "pkg:npm/ip-regex@5.0.0" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ip-regex/package.json", "Digest": "sha1:e3ebe61a5855188e86da90f29b0ea8c44793b9f0" }, { "ID": "is-cidr@6.0.1", "Name": "is-cidr", "Identifier": { "PURL": "pkg:npm/is-cidr@6.0.1", "UID": "785fa0aee5555d5c", "BOMRef": "pkg:npm/is-cidr@6.0.1" }, "Version": "6.0.1", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/is-cidr/package.json", "Digest": "sha1:7ae4aacf966b4f49bd609909796a7700fd8e877d" }, { "ID": "is-fullwidth-code-point@3.0.0", "Name": "is-fullwidth-code-point", "Identifier": { "PURL": "pkg:npm/is-fullwidth-code-point@3.0.0", "UID": "e447e9c14b516f90", "BOMRef": "pkg:npm/is-fullwidth-code-point@3.0.0" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/is-fullwidth-code-point/package.json", "Digest": "sha1:49dbcba3eb3e3cba5b97bce28eb6194775d23c88" }, { "ID": "isexe@2.0.0", "Name": "isexe", "Identifier": { "PURL": "pkg:npm/isexe@2.0.0", "UID": "e98452acf6ed680c", "BOMRef": "pkg:npm/isexe@2.0.0" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cross-spawn/node_modules/isexe/package.json", "Digest": "sha1:3b3eab80c4ffd08eef6b3381b98de7be3649d06b" }, { "ID": "isexe@3.1.1", "Name": "isexe", "Identifier": { "PURL": "pkg:npm/isexe@3.1.1", "UID": "e802132a4a50d7d9", "BOMRef": "pkg:npm/isexe@3.1.1" }, "Version": "3.1.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/isexe/package.json", "Digest": "sha1:33fc88b1f05370bb6518291c601cf96cfcafdc3b" }, { "ID": "jackspeak@3.4.3", "Name": "jackspeak", "Identifier": { "PURL": "pkg:npm/jackspeak@3.4.3", "UID": "6ee93393b84b2999", "BOMRef": "pkg:npm/jackspeak@3.4.3" }, "Version": "3.4.3", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/jackspeak/package.json", "Digest": "sha1:15e15f7f7565d0a355be813b2e68eb35e65102a5" }, { "ID": "jackspeak@4.1.1", "Name": "jackspeak", "Identifier": { "PURL": "pkg:npm/jackspeak@4.1.1", "UID": "5438fcc1b71ba4e2", "BOMRef": "pkg:npm/jackspeak@4.1.1" }, "Version": "4.1.1", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/jackspeak/package.json", "Digest": "sha1:8997e3643b1400526da8981a9f1ed0bc41a60261" }, { "ID": "json-parse-even-better-errors@4.0.0", "Name": "json-parse-even-better-errors", "Identifier": { "PURL": "pkg:npm/json-parse-even-better-errors@4.0.0", "UID": "d1eb7a124e75dc7b", "BOMRef": "pkg:npm/json-parse-even-better-errors@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/json-parse-even-better-errors/package.json", "Digest": "sha1:6fb81ff6b422e2dd97dbd03d6095016aa7a4317e" }, { "ID": "json-stringify-nice@1.1.4", "Name": "json-stringify-nice", "Identifier": { "PURL": "pkg:npm/json-stringify-nice@1.1.4", "UID": "24c92a93b44d8f6a", "BOMRef": "pkg:npm/json-stringify-nice@1.1.4" }, "Version": "1.1.4", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/json-stringify-nice/package.json", "Digest": "sha1:adef02a4345a493535ccb990b09f850508ae516f" }, { "ID": "jsonparse@1.3.1", "Name": "jsonparse", "Identifier": { "PURL": "pkg:npm/jsonparse@1.3.1", "UID": "fab0c04631582e11", "BOMRef": "pkg:npm/jsonparse@1.3.1" }, "Version": "1.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/jsonparse/package.json", "Digest": "sha1:ec0bb766bf32ebd53d835393da006bb834a663fd" }, { "ID": "just-diff@6.0.2", "Name": "just-diff", "Identifier": { "PURL": "pkg:npm/just-diff@6.0.2", "UID": "eafbbe77145b714b", "BOMRef": "pkg:npm/just-diff@6.0.2" }, "Version": "6.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/just-diff/package.json", "Digest": "sha1:396a274e87b3ad6a3704a76cf18fbb2a9dd45ada" }, { "ID": "just-diff-apply@5.5.0", "Name": "just-diff-apply", "Identifier": { "PURL": "pkg:npm/just-diff-apply@5.5.0", "UID": "e43305e984e8a4d8", "BOMRef": "pkg:npm/just-diff-apply@5.5.0" }, "Version": "5.5.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/just-diff-apply/package.json", "Digest": "sha1:26d39d00f0fc1ddfe4974dbe69691f9c09ad9036" }, { "ID": "libnpmaccess@10.0.3", "Name": "libnpmaccess", "Identifier": { "PURL": "pkg:npm/libnpmaccess@10.0.3", "UID": "6add69f0b6580ae0", "BOMRef": "pkg:npm/libnpmaccess@10.0.3" }, "Version": "10.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmaccess/package.json", "Digest": "sha1:c1d01036aa963e18b715c0bf3ec1bdad5d39d0be" }, { "ID": "libnpmdiff@8.0.9", "Name": "libnpmdiff", "Identifier": { "PURL": "pkg:npm/libnpmdiff@8.0.9", "UID": "6c966efb9d6371d1", "BOMRef": "pkg:npm/libnpmdiff@8.0.9" }, "Version": "8.0.9", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmdiff/package.json", "Digest": "sha1:08529ea2d28cea59a474b7a9b8d07dfd33842d72" }, { "ID": "libnpmexec@10.1.8", "Name": "libnpmexec", "Identifier": { "PURL": "pkg:npm/libnpmexec@10.1.8", "UID": "8d2876b6174a5002", "BOMRef": "pkg:npm/libnpmexec@10.1.8" }, "Version": "10.1.8", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmexec/package.json", "Digest": "sha1:42067a230f8087be6622933bc2204beb43c65053" }, { "ID": "libnpmfund@7.0.9", "Name": "libnpmfund", "Identifier": { "PURL": "pkg:npm/libnpmfund@7.0.9", "UID": "71f17e280a1e1968", "BOMRef": "pkg:npm/libnpmfund@7.0.9" }, "Version": "7.0.9", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmfund/package.json", "Digest": "sha1:1906251db79b7a437239f95aa0df79c7c554619e" }, { "ID": "libnpmorg@8.0.1", "Name": "libnpmorg", "Identifier": { "PURL": "pkg:npm/libnpmorg@8.0.1", "UID": "e45241b453fa5644", "BOMRef": "pkg:npm/libnpmorg@8.0.1" }, "Version": "8.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmorg/package.json", "Digest": "sha1:bb751a1dee75e700037086efe488eaadcf29345f" }, { "ID": "libnpmpack@9.0.9", "Name": "libnpmpack", "Identifier": { "PURL": "pkg:npm/libnpmpack@9.0.9", "UID": "a22bc58f73cd13b8", "BOMRef": "pkg:npm/libnpmpack@9.0.9" }, "Version": "9.0.9", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmpack/package.json", "Digest": "sha1:9946d06d2edee965070b52064492a9f7bc63194e" }, { "ID": "libnpmpublish@11.1.2", "Name": "libnpmpublish", "Identifier": { "PURL": "pkg:npm/libnpmpublish@11.1.2", "UID": "90e7dcbe337687b", "BOMRef": "pkg:npm/libnpmpublish@11.1.2" }, "Version": "11.1.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmpublish/package.json", "Digest": "sha1:cee9c37cf9421b071b038e99b83e2d60f355d7f1" }, { "ID": "libnpmsearch@9.0.1", "Name": "libnpmsearch", "Identifier": { "PURL": "pkg:npm/libnpmsearch@9.0.1", "UID": "e035275cff9082a9", "BOMRef": "pkg:npm/libnpmsearch@9.0.1" }, "Version": "9.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmsearch/package.json", "Digest": "sha1:839c733ea34fee24f8639d9514b827f20634aa47" }, { "ID": "libnpmteam@8.0.2", "Name": "libnpmteam", "Identifier": { "PURL": "pkg:npm/libnpmteam@8.0.2", "UID": "e8e7f22264965d9a", "BOMRef": "pkg:npm/libnpmteam@8.0.2" }, "Version": "8.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmteam/package.json", "Digest": "sha1:4638228278157df58223fce221f2b21e99a43351" }, { "ID": "libnpmversion@8.0.2", "Name": "libnpmversion", "Identifier": { "PURL": "pkg:npm/libnpmversion@8.0.2", "UID": "20d9ebf636047a56", "BOMRef": "pkg:npm/libnpmversion@8.0.2" }, "Version": "8.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/libnpmversion/package.json", "Digest": "sha1:6508dfbbc8b9d0b7f7c4c0310fcb0a4b6c244754" }, { "ID": "litellm-dashboard@0.1.0", "Name": "litellm-dashboard", "Identifier": { "PURL": "pkg:npm/litellm-dashboard@0.1.0", "UID": "60c0060ac43351b1", "BOMRef": "pkg:npm/litellm-dashboard@0.1.0" }, "Version": "0.1.0", "Layer": { "Digest": "sha256:40888edda03e44c8a1e4a277f03ffebb3958981d8b38be07fd1a48d7aedfcfce", "DiffID": "sha256:65f335e81c9b2e62fb2d29b601e9b3db900f4491a09cfe4b57699b7cda675eb0" }, "FilePath": "app/ui/litellm-dashboard/package.json", "Digest": "sha1:2d010ec5d5387089771b1faf6a77c80038986375" }, { "ID": "lru-cache@10.4.3", "Name": "lru-cache", "Identifier": { "PURL": "pkg:npm/lru-cache@10.4.3", "UID": "83a68b9168ba2160", "BOMRef": "pkg:npm/lru-cache@10.4.3" }, "Version": "10.4.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/lru-cache/package.json", "Digest": "sha1:eba45f816c43b1e505440b7a7f8392e38ba11306" }, { "ID": "lru-cache@11.2.2", "Name": "lru-cache", "Identifier": { "PURL": "pkg:npm/lru-cache@11.2.2", "UID": "dd4df575dee88bcd", "BOMRef": "pkg:npm/lru-cache@11.2.2" }, "Version": "11.2.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/lru-cache/package.json", "Digest": "sha1:6dd2a4249041a81465f9774e129f7b29c27a6f80" }, { "ID": "make-fetch-happen@14.0.3", "Name": "make-fetch-happen", "Identifier": { "PURL": "pkg:npm/make-fetch-happen@14.0.3", "UID": "30a575ea3580426", "BOMRef": "pkg:npm/make-fetch-happen@14.0.3" }, "Version": "14.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/make-fetch-happen/package.json", "Digest": "sha1:4e321611ef7ad4a60c9b8db56a8e49c35f4624f5" }, { "ID": "make-fetch-happen@15.0.2", "Name": "make-fetch-happen", "Identifier": { "PURL": "pkg:npm/make-fetch-happen@15.0.2", "UID": "a3cefd7224342543", "BOMRef": "pkg:npm/make-fetch-happen@15.0.2" }, "Version": "15.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/make-fetch-happen/package.json", "Digest": "sha1:da7290a1f11c33952730308c1a35b3031addcbea" }, { "ID": "minimatch@10.0.3", "Name": "minimatch", "Identifier": { "PURL": "pkg:npm/minimatch@10.0.3", "UID": "644cae48932df74", "BOMRef": "pkg:npm/minimatch@10.0.3" }, "Version": "10.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minimatch/package.json", "Digest": "sha1:052b0b10a498caa8cff3370cf90554d3b8be575c" }, { "ID": "minimatch@9.0.5", "Name": "minimatch", "Identifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "120f9e0551bc725e", "BOMRef": "9bf7da2c-58d4-4a91-a83a-157984d5bc3f" }, "Version": "9.0.5", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/models/node_modules/minimatch/package.json", "Digest": "sha1:fad71756ee05319a797b6ec51669df8e01e76379" }, { "ID": "minimatch@9.0.5", "Name": "minimatch", "Identifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "f8c59c6ffd80bf78", "BOMRef": "282b82d8-42d7-4f45-8bfb-b8d160c7e92b" }, "Version": "9.0.5", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/package.json", "Digest": "sha1:fad71756ee05319a797b6ec51669df8e01e76379" }, { "ID": "minipass@3.3.6", "Name": "minipass", "Identifier": { "PURL": "pkg:npm/minipass@3.3.6", "UID": "f03cdc9d6c11ba78", "BOMRef": "f528bb0b-a81c-4158-b7e9-f3d59a25fb90" }, "Version": "3.3.6", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-flush/node_modules/minipass/package.json", "Digest": "sha1:fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c" }, { "ID": "minipass@3.3.6", "Name": "minipass", "Identifier": { "PURL": "pkg:npm/minipass@3.3.6", "UID": "5426941396183c79", "BOMRef": "29489212-def5-457d-a6bc-f838847f9771" }, "Version": "3.3.6", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-pipeline/node_modules/minipass/package.json", "Digest": "sha1:fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c" }, { "ID": "minipass@3.3.6", "Name": "minipass", "Identifier": { "PURL": "pkg:npm/minipass@3.3.6", "UID": "a9acea45558991b2", "BOMRef": "01688e63-baba-4503-97fa-0ce83f1815c6" }, "Version": "3.3.6", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-sized/node_modules/minipass/package.json", "Digest": "sha1:fc79b496665e2cdfc4bdaac9c7d7c4b2f4645f2c" }, { "ID": "minipass@7.1.2", "Name": "minipass", "Identifier": { "PURL": "pkg:npm/minipass@7.1.2", "UID": "816b66ee2dedb846", "BOMRef": "pkg:npm/minipass@7.1.2" }, "Version": "7.1.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass/package.json", "Digest": "sha1:798df22ae1185484c372b4da30c4d75a0e7ea572" }, { "ID": "minipass-collect@2.0.1", "Name": "minipass-collect", "Identifier": { "PURL": "pkg:npm/minipass-collect@2.0.1", "UID": "d2213c2fe4a59947", "BOMRef": "pkg:npm/minipass-collect@2.0.1" }, "Version": "2.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-collect/package.json", "Digest": "sha1:7ca3a77ca7b795148ecee5d9ebbe96e968dddb15" }, { "ID": "minipass-fetch@4.0.1", "Name": "minipass-fetch", "Identifier": { "PURL": "pkg:npm/minipass-fetch@4.0.1", "UID": "a66bedf555bd4329", "BOMRef": "pkg:npm/minipass-fetch@4.0.1" }, "Version": "4.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-fetch/package.json", "Digest": "sha1:20a8b7cdd0d9df659a448aef3a4589ca2a95d39e" }, { "ID": "minipass-flush@1.0.5", "Name": "minipass-flush", "Identifier": { "PURL": "pkg:npm/minipass-flush@1.0.5", "UID": "f8d647c83d8551bd", "BOMRef": "pkg:npm/minipass-flush@1.0.5" }, "Version": "1.0.5", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-flush/package.json", "Digest": "sha1:c89612a2a9c68141b8271bbc94bcc88067c29790" }, { "ID": "minipass-pipeline@1.2.4", "Name": "minipass-pipeline", "Identifier": { "PURL": "pkg:npm/minipass-pipeline@1.2.4", "UID": "7b4d8797edc2cfcd", "BOMRef": "pkg:npm/minipass-pipeline@1.2.4" }, "Version": "1.2.4", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-pipeline/package.json", "Digest": "sha1:e30c58465801deaceb4b81898e531c75679563b1" }, { "ID": "minipass-sized@1.0.3", "Name": "minipass-sized", "Identifier": { "PURL": "pkg:npm/minipass-sized@1.0.3", "UID": "2d341612cb4b913a", "BOMRef": "pkg:npm/minipass-sized@1.0.3" }, "Version": "1.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minipass-sized/package.json", "Digest": "sha1:615e0e93dfdbc65b217029380591abc9e9b64136" }, { "ID": "minizlib@3.1.0", "Name": "minizlib", "Identifier": { "PURL": "pkg:npm/minizlib@3.1.0", "UID": "a1dc5aeb61d6dcd3", "BOMRef": "pkg:npm/minizlib@3.1.0" }, "Version": "3.1.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minizlib/package.json", "Digest": "sha1:ecda8f42a2256be6ae9bba8a268ae3964683fe09" }, { "ID": "ms@2.1.3", "Name": "ms", "Identifier": { "PURL": "pkg:npm/ms@2.1.3", "UID": "e94ac29d0b2f0850", "BOMRef": "pkg:npm/ms@2.1.3" }, "Version": "2.1.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ms/package.json", "Digest": "sha1:c290eb97736177176d071da4ac855ab995685c97" }, { "ID": "mute-stream@2.0.0", "Name": "mute-stream", "Identifier": { "PURL": "pkg:npm/mute-stream@2.0.0", "UID": "b0ad9a88d7a07b46", "BOMRef": "pkg:npm/mute-stream@2.0.0" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/mute-stream/package.json", "Digest": "sha1:7f9eff4bc99d6d99dfa22506626bf4d2ec36530c" }, { "ID": "negotiator@1.0.0", "Name": "negotiator", "Identifier": { "PURL": "pkg:npm/negotiator@1.0.0", "UID": "c1dc1b731873858c", "BOMRef": "pkg:npm/negotiator@1.0.0" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/negotiator/package.json", "Digest": "sha1:046524b23a7aefb2b0cfd3ebbd0fd84c0f7df3f6" }, { "ID": "node-gyp@11.4.2", "Name": "node-gyp", "Identifier": { "PURL": "pkg:npm/node-gyp@11.4.2", "UID": "e99c6f726986351c", "BOMRef": "pkg:npm/node-gyp@11.4.2" }, "Version": "11.4.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/package.json", "Digest": "sha1:ccf15dc1a8d1d80613e27c704d1776222cc81229" }, { "ID": "nopt@8.1.0", "Name": "nopt", "Identifier": { "PURL": "pkg:npm/nopt@8.1.0", "UID": "199138c1699e873f", "BOMRef": "pkg:npm/nopt@8.1.0" }, "Version": "8.1.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/nopt/package.json", "Digest": "sha1:317e51d1f350fa28d851280d460bebcd9154acca" }, { "ID": "npm@11.6.2", "Name": "npm", "Identifier": { "PURL": "pkg:npm/npm@11.6.2", "UID": "f945e3678dac1043", "BOMRef": "pkg:npm/npm@11.6.2" }, "Version": "11.6.2", "Licenses": [ "Artistic-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/package.json", "Digest": "sha1:d6bc9f75c73d458b7b308a38ee9a9391fbd83b04" }, { "ID": "npm-audit-report@6.0.0", "Name": "npm-audit-report", "Identifier": { "PURL": "pkg:npm/npm-audit-report@6.0.0", "UID": "ebad929192002892", "BOMRef": "pkg:npm/npm-audit-report@6.0.0" }, "Version": "6.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-audit-report/package.json", "Digest": "sha1:c6d99ebde23570472f511de67beedd2a9c0a21fb" }, { "ID": "npm-bundled@4.0.0", "Name": "npm-bundled", "Identifier": { "PURL": "pkg:npm/npm-bundled@4.0.0", "UID": "2e99e8b074420268", "BOMRef": "pkg:npm/npm-bundled@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-bundled/package.json", "Digest": "sha1:12ea20fbce124e65be448ec472b370cd1a4e4e9a" }, { "ID": "npm-install-checks@7.1.2", "Name": "npm-install-checks", "Identifier": { "PURL": "pkg:npm/npm-install-checks@7.1.2", "UID": "4989db8c74cd4527", "BOMRef": "pkg:npm/npm-install-checks@7.1.2" }, "Version": "7.1.2", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-install-checks/package.json", "Digest": "sha1:52ed94975a6a5114ded7355615eecbca003fa139" }, { "ID": "npm-normalize-package-bin@4.0.0", "Name": "npm-normalize-package-bin", "Identifier": { "PURL": "pkg:npm/npm-normalize-package-bin@4.0.0", "UID": "cb2ba47384a6f5c0", "BOMRef": "pkg:npm/npm-normalize-package-bin@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-normalize-package-bin/package.json", "Digest": "sha1:fd34d45c247025dea9a507fb9db4586afa05c732" }, { "ID": "npm-package-arg@13.0.1", "Name": "npm-package-arg", "Identifier": { "PURL": "pkg:npm/npm-package-arg@13.0.1", "UID": "990e9056935adc78", "BOMRef": "pkg:npm/npm-package-arg@13.0.1" }, "Version": "13.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-package-arg/package.json", "Digest": "sha1:a381d17d55aaf006600639a375b790c73d8e4f7e" }, { "ID": "npm-packlist@10.0.2", "Name": "npm-packlist", "Identifier": { "PURL": "pkg:npm/npm-packlist@10.0.2", "UID": "5a38a98d06d8e0f", "BOMRef": "pkg:npm/npm-packlist@10.0.2" }, "Version": "10.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-packlist/package.json", "Digest": "sha1:79c1cf949293a2c40b820bb705fb33d6a20d249d" }, { "ID": "npm-pick-manifest@11.0.1", "Name": "npm-pick-manifest", "Identifier": { "PURL": "pkg:npm/npm-pick-manifest@11.0.1", "UID": "4276954b1f24d59", "BOMRef": "pkg:npm/npm-pick-manifest@11.0.1" }, "Version": "11.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-pick-manifest/package.json", "Digest": "sha1:a798b711f9e66c3134e245bee2c549634583713f" }, { "ID": "npm-profile@12.0.0", "Name": "npm-profile", "Identifier": { "PURL": "pkg:npm/npm-profile@12.0.0", "UID": "c21832d9012def5", "BOMRef": "pkg:npm/npm-profile@12.0.0" }, "Version": "12.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-profile/package.json", "Digest": "sha1:7155fdd4afd5c21a85e5dc3053223cabc74adbe3" }, { "ID": "npm-registry-fetch@19.0.0", "Name": "npm-registry-fetch", "Identifier": { "PURL": "pkg:npm/npm-registry-fetch@19.0.0", "UID": "e19489dacda8d661", "BOMRef": "pkg:npm/npm-registry-fetch@19.0.0" }, "Version": "19.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-registry-fetch/package.json", "Digest": "sha1:0edbb1a41148f0056036fa3ebc0677a5bc70c323" }, { "ID": "npm-user-validate@3.0.0", "Name": "npm-user-validate", "Identifier": { "PURL": "pkg:npm/npm-user-validate@3.0.0", "UID": "8f9b62d4cfed992f", "BOMRef": "pkg:npm/npm-user-validate@3.0.0" }, "Version": "3.0.0", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/npm-user-validate/package.json", "Digest": "sha1:cfea52638093ceccf3bea4e6f09bd9370943e8de" }, { "ID": "p-map@7.0.3", "Name": "p-map", "Identifier": { "PURL": "pkg:npm/p-map@7.0.3", "UID": "1e82e1fb4f57e7e9", "BOMRef": "pkg:npm/p-map@7.0.3" }, "Version": "7.0.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/p-map/package.json", "Digest": "sha1:95eec87c2f7ed9f31ccd295eb97b9ce9d98c58ed" }, { "ID": "package-json-from-dist@1.0.1", "Name": "package-json-from-dist", "Identifier": { "PURL": "pkg:npm/package-json-from-dist@1.0.1", "UID": "cf3b2d1188a5f10a", "BOMRef": "pkg:npm/package-json-from-dist@1.0.1" }, "Version": "1.0.1", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/package-json-from-dist/package.json", "Digest": "sha1:d93947bd52021bb5f785613249e0e198a3b48025" }, { "ID": "pacote@21.0.3", "Name": "pacote", "Identifier": { "PURL": "pkg:npm/pacote@21.0.3", "UID": "61e552d56a305fae", "BOMRef": "pkg:npm/pacote@21.0.3" }, "Version": "21.0.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/pacote/package.json", "Digest": "sha1:f4552e8ac648d87bd73028f236910019c6ff9436" }, { "ID": "parse-conflict-json@4.0.0", "Name": "parse-conflict-json", "Identifier": { "PURL": "pkg:npm/parse-conflict-json@4.0.0", "UID": "47336cc06bfb889", "BOMRef": "pkg:npm/parse-conflict-json@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/parse-conflict-json/package.json", "Digest": "sha1:8113361744ef993fc1945a13ab153adfe70513f8" }, { "ID": "path-key@3.1.1", "Name": "path-key", "Identifier": { "PURL": "pkg:npm/path-key@3.1.1", "UID": "cca77593a69d290f", "BOMRef": "pkg:npm/path-key@3.1.1" }, "Version": "3.1.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/path-key/package.json", "Digest": "sha1:f330c46f59dbdd92dddf8a2cfc2c1569b469bdd2" }, { "ID": "path-scurry@1.11.1", "Name": "path-scurry", "Identifier": { "PURL": "pkg:npm/path-scurry@1.11.1", "UID": "1633d0f14372a6e6", "BOMRef": "pkg:npm/path-scurry@1.11.1" }, "Version": "1.11.1", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/path-scurry/package.json", "Digest": "sha1:57ceeacc9d50abbd7e370e6a697520cc0784baa6" }, { "ID": "path-scurry@2.0.0", "Name": "path-scurry", "Identifier": { "PURL": "pkg:npm/path-scurry@2.0.0", "UID": "44c4c0df44731810", "BOMRef": "pkg:npm/path-scurry@2.0.0" }, "Version": "2.0.0", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/path-scurry/package.json", "Digest": "sha1:1c1e6249d24017c9e0c2791a82542960476a565d" }, { "ID": "picomatch@4.0.3", "Name": "picomatch", "Identifier": { "PURL": "pkg:npm/picomatch@4.0.3", "UID": "56cb1fc33efbea2b", "BOMRef": "pkg:npm/picomatch@4.0.3" }, "Version": "4.0.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch/package.json", "Digest": "sha1:d5b57c1efc38eb0545dbf3eaffe857ba94597f07" }, { "ID": "postcss-selector-parser@7.1.0", "Name": "postcss-selector-parser", "Identifier": { "PURL": "pkg:npm/postcss-selector-parser@7.1.0", "UID": "cfef0e163694ad47", "BOMRef": "pkg:npm/postcss-selector-parser@7.1.0" }, "Version": "7.1.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/postcss-selector-parser/package.json", "Digest": "sha1:f3dd4406c5202c089400fad7c71a0694fc8e85dc" }, { "ID": "prisma@5.4.2", "Name": "prisma", "Identifier": { "PURL": "pkg:npm/prisma@5.4.2", "UID": "8d36426ec6800f7b", "BOMRef": "pkg:npm/prisma@5.4.2" }, "Version": "5.4.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:ab7957019ca0985582e60811f248f83f2c11b6c0542fe90df14bed31af721a9e", "DiffID": "sha256:f16a4cff816ff065507de0d9c3f1656540ccb51cce36de166212349c1ec60824" }, "FilePath": "root/.cache/prisma-python/binaries/5.4.2/ac9d7041ed77bcc8a8dbd2ab6616b39013829574/node_modules/prisma/package.json", "Digest": "sha1:233149234d81830aa27b624c884739e1f8c7498b" }, { "ID": "prisma-binaries@1.0.0", "Name": "prisma-binaries", "Identifier": { "PURL": "pkg:npm/prisma-binaries@1.0.0", "UID": "f52a31f03e21f137", "BOMRef": "pkg:npm/prisma-binaries@1.0.0" }, "Version": "1.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:ab7957019ca0985582e60811f248f83f2c11b6c0542fe90df14bed31af721a9e", "DiffID": "sha256:f16a4cff816ff065507de0d9c3f1656540ccb51cce36de166212349c1ec60824" }, "FilePath": "root/.cache/prisma-python/binaries/5.4.2/ac9d7041ed77bcc8a8dbd2ab6616b39013829574/package.json", "Digest": "sha1:13da9e1561789f778831c4ebefed1268d740601d" }, { "ID": "proc-log@5.0.0", "Name": "proc-log", "Identifier": { "PURL": "pkg:npm/proc-log@5.0.0", "UID": "f1aaf2c50f427b02", "BOMRef": "pkg:npm/proc-log@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/proc-log/package.json", "Digest": "sha1:ef77e00bb180e2d474ef8ec427d3ddb2dffe8b60" }, { "ID": "proggy@3.0.0", "Name": "proggy", "Identifier": { "PURL": "pkg:npm/proggy@3.0.0", "UID": "ad2bf62d0a31cf8b", "BOMRef": "pkg:npm/proggy@3.0.0" }, "Version": "3.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/proggy/package.json", "Digest": "sha1:6760b8196686e9576f1031286d5dcfda786943bd" }, { "ID": "promise-all-reject-late@1.0.1", "Name": "promise-all-reject-late", "Identifier": { "PURL": "pkg:npm/promise-all-reject-late@1.0.1", "UID": "910274033c9b2b58", "BOMRef": "pkg:npm/promise-all-reject-late@1.0.1" }, "Version": "1.0.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/promise-all-reject-late/package.json", "Digest": "sha1:c88aa929d83fb2bbf326f7c62103da6b8c48c4df" }, { "ID": "promise-call-limit@3.0.2", "Name": "promise-call-limit", "Identifier": { "PURL": "pkg:npm/promise-call-limit@3.0.2", "UID": "1a309a6b48ce29d8", "BOMRef": "pkg:npm/promise-call-limit@3.0.2" }, "Version": "3.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/promise-call-limit/package.json", "Digest": "sha1:27f3261a15e6ace571c3ad192e878cec1d9358c9" }, { "ID": "promise-retry@2.0.1", "Name": "promise-retry", "Identifier": { "PURL": "pkg:npm/promise-retry@2.0.1", "UID": "97cf458bed583b7c", "BOMRef": "pkg:npm/promise-retry@2.0.1" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/promise-retry/package.json", "Digest": "sha1:fc649cbedea73287db37a431e5761e9c0b4abca9" }, { "ID": "promzard@2.0.0", "Name": "promzard", "Identifier": { "PURL": "pkg:npm/promzard@2.0.0", "UID": "d3afc1388e18e8dd", "BOMRef": "pkg:npm/promzard@2.0.0" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/promzard/package.json", "Digest": "sha1:0907f5a36bfb56f2e11b39ed343ca6296e7a514d" }, { "ID": "qrcode-terminal@0.12.0", "Name": "qrcode-terminal", "Identifier": { "PURL": "pkg:npm/qrcode-terminal@0.12.0", "UID": "d06a148964f5a15d", "BOMRef": "pkg:npm/qrcode-terminal@0.12.0" }, "Version": "0.12.0", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/qrcode-terminal/package.json", "Digest": "sha1:4a84ac3decfe9f31da851b98dedd698f935b83bc" }, { "ID": "read@4.1.0", "Name": "read", "Identifier": { "PURL": "pkg:npm/read@4.1.0", "UID": "4bb32952a0feb8c", "BOMRef": "pkg:npm/read@4.1.0" }, "Version": "4.1.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/read/package.json", "Digest": "sha1:537319f6c0eeaf2b59bae777fbda32e5bbce89ff" }, { "ID": "read-cmd-shim@5.0.0", "Name": "read-cmd-shim", "Identifier": { "PURL": "pkg:npm/read-cmd-shim@5.0.0", "UID": "361abf8914ff3190", "BOMRef": "pkg:npm/read-cmd-shim@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/read-cmd-shim/package.json", "Digest": "sha1:3ad7a2af8954f4df2e9ee3e8af8897fb9a49e894" }, { "ID": "retry@0.12.0", "Name": "retry", "Identifier": { "PURL": "pkg:npm/retry@0.12.0", "UID": "cb333758857307bf", "BOMRef": "pkg:npm/retry@0.12.0" }, "Version": "0.12.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/retry/package.json", "Digest": "sha1:10dd0941e4e65c436c4f7111efdb1679c966c478" }, { "ID": "safer-buffer@2.1.2", "Name": "safer-buffer", "Identifier": { "PURL": "pkg:npm/safer-buffer@2.1.2", "UID": "9b65ca66a6ccff21", "BOMRef": "pkg:npm/safer-buffer@2.1.2" }, "Version": "2.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/safer-buffer/package.json", "Digest": "sha1:5ed0fab8e5cac53e4d072acbd82fca9be08f5e67" }, { "ID": "semver@7.7.3", "Name": "semver", "Identifier": { "PURL": "pkg:npm/semver@7.7.3", "UID": "f28783ca27aaba67", "BOMRef": "pkg:npm/semver@7.7.3" }, "Version": "7.7.3", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/semver/package.json", "Digest": "sha1:8b79d46abe6fc320567c34edb59ab3f88ed2f581" }, { "ID": "shebang-command@2.0.0", "Name": "shebang-command", "Identifier": { "PURL": "pkg:npm/shebang-command@2.0.0", "UID": "94d8ca8c13a2bcbf", "BOMRef": "pkg:npm/shebang-command@2.0.0" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/shebang-command/package.json", "Digest": "sha1:2e2395a2e489846382e5cefdf011dcd7cacb82a5" }, { "ID": "shebang-regex@3.0.0", "Name": "shebang-regex", "Identifier": { "PURL": "pkg:npm/shebang-regex@3.0.0", "UID": "26dca7658f14cfd7", "BOMRef": "pkg:npm/shebang-regex@3.0.0" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/shebang-regex/package.json", "Digest": "sha1:4c10640951d12ad418aa40c29b550fdfe3d2567a" }, { "ID": "signal-exit@4.1.0", "Name": "signal-exit", "Identifier": { "PURL": "pkg:npm/signal-exit@4.1.0", "UID": "117b8ba3fd433c69", "BOMRef": "pkg:npm/signal-exit@4.1.0" }, "Version": "4.1.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/signal-exit/package.json", "Digest": "sha1:7ed47a76d7f1a65c0920cbf3d9f09c4adb9cc961" }, { "ID": "sigstore@4.0.0", "Name": "sigstore", "Identifier": { "PURL": "pkg:npm/sigstore@4.0.0", "UID": "71a5dc45cb133b70", "BOMRef": "pkg:npm/sigstore@4.0.0" }, "Version": "4.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/sigstore/package.json", "Digest": "sha1:1c44f720163162fc2718c509f7d62ffb85c37f04" }, { "ID": "smart-buffer@4.2.0", "Name": "smart-buffer", "Identifier": { "PURL": "pkg:npm/smart-buffer@4.2.0", "UID": "14aef92d7c1495cf", "BOMRef": "pkg:npm/smart-buffer@4.2.0" }, "Version": "4.2.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/smart-buffer/package.json", "Digest": "sha1:a9db89be9421029bd73baf8199042a08253a0b59" }, { "ID": "socks@2.8.7", "Name": "socks", "Identifier": { "PURL": "pkg:npm/socks@2.8.7", "UID": "b557fc1acb96efa4", "BOMRef": "pkg:npm/socks@2.8.7" }, "Version": "2.8.7", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/socks/package.json", "Digest": "sha1:c92d113f3614e8c725fc4de50c3312bdcde18258" }, { "ID": "socks-proxy-agent@8.0.5", "Name": "socks-proxy-agent", "Identifier": { "PURL": "pkg:npm/socks-proxy-agent@8.0.5", "UID": "d1491efdae5c6ab4", "BOMRef": "pkg:npm/socks-proxy-agent@8.0.5" }, "Version": "8.0.5", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/socks-proxy-agent/package.json", "Digest": "sha1:a52f0cff949fd82f9e42d4214d2917964d7a9bdb" }, { "ID": "spdx-correct@3.2.0", "Name": "spdx-correct", "Identifier": { "PURL": "pkg:npm/spdx-correct@3.2.0", "UID": "2b754f3635506f1d", "BOMRef": "pkg:npm/spdx-correct@3.2.0" }, "Version": "3.2.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/spdx-correct/package.json", "Digest": "sha1:a7a8f7467469c676a88934b972d08c03c9a4b7b4" }, { "ID": "spdx-exceptions@2.5.0", "Name": "spdx-exceptions", "Identifier": { "PURL": "pkg:npm/spdx-exceptions@2.5.0", "UID": "de18e4e1edc2c355", "BOMRef": "pkg:npm/spdx-exceptions@2.5.0" }, "Version": "2.5.0", "Licenses": [ "CC-BY-3.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/spdx-exceptions/package.json", "Digest": "sha1:0f731ec5551fde840e6213e20cd9fbdc53468290" }, { "ID": "spdx-expression-parse@3.0.1", "Name": "spdx-expression-parse", "Identifier": { "PURL": "pkg:npm/spdx-expression-parse@3.0.1", "UID": "72f12fccff6aff24", "BOMRef": "8ae6567f-e07c-49d6-b915-dac4742e5a87" }, "Version": "3.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/spdx-correct/node_modules/spdx-expression-parse/package.json", "Digest": "sha1:72082a3e9d4efe5a06c914b7ffa738f35b550ffb" }, { "ID": "spdx-expression-parse@3.0.1", "Name": "spdx-expression-parse", "Identifier": { "PURL": "pkg:npm/spdx-expression-parse@3.0.1", "UID": "491b1f48e7f5f6c4", "BOMRef": "6944f438-853b-4b24-b20a-0e9a44801e1c" }, "Version": "3.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/validate-npm-package-license/node_modules/spdx-expression-parse/package.json", "Digest": "sha1:72082a3e9d4efe5a06c914b7ffa738f35b550ffb" }, { "ID": "spdx-expression-parse@4.0.0", "Name": "spdx-expression-parse", "Identifier": { "PURL": "pkg:npm/spdx-expression-parse@4.0.0", "UID": "ad3b0206545e994f", "BOMRef": "pkg:npm/spdx-expression-parse@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/spdx-expression-parse/package.json", "Digest": "sha1:3f1b1059652d04327b6b0513080e242935399c30" }, { "ID": "spdx-license-ids@3.0.22", "Name": "spdx-license-ids", "Identifier": { "PURL": "pkg:npm/spdx-license-ids@3.0.22", "UID": "45fb59fd776949f4", "BOMRef": "pkg:npm/spdx-license-ids@3.0.22" }, "Version": "3.0.22", "Licenses": [ "CC0-1.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/spdx-license-ids/package.json", "Digest": "sha1:0c921a3dffa4e1c2bcfdf3559a7c1713090b08f2" }, { "ID": "ssri@12.0.0", "Name": "ssri", "Identifier": { "PURL": "pkg:npm/ssri@12.0.0", "UID": "fdcf01efb46b3d29", "BOMRef": "pkg:npm/ssri@12.0.0" }, "Version": "12.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/ssri/package.json", "Digest": "sha1:203926d505f969e44375e6a40942ce43ae490f44" }, { "ID": "string-width@4.2.3", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@4.2.3", "UID": "3f62143811f3aeb4", "BOMRef": "59f61517-a9ad-4497-b0f1-5badd5ec0d5c" }, "Version": "4.2.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/string-width-cjs/package.json", "Digest": "sha1:a5306c15bba6cb123d9f061ca85eb56576c6638f" }, { "ID": "string-width@4.2.3", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@4.2.3", "UID": "7b44c51df71b8d61", "BOMRef": "7667c488-37b3-4acc-b669-171a9611f4ef" }, "Version": "4.2.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/string-width/package.json", "Digest": "sha1:a5306c15bba6cb123d9f061ca85eb56576c6638f" }, { "ID": "string-width@5.1.2", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@5.1.2", "UID": "7aa526a35a9e0e01", "BOMRef": "d9beba3b-72e3-4208-89e1-3c667e0a5dee" }, "Version": "5.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/string-width/package.json", "Digest": "sha1:53ae7a1b3953e86624927fec8421d453d9c88e41" }, { "ID": "string-width@5.1.2", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@5.1.2", "UID": "36a67dd72f8ab80d", "BOMRef": "6837b5b6-3192-465d-b584-edebe0a08fa9" }, "Version": "5.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/string-width/package.json", "Digest": "sha1:53ae7a1b3953e86624927fec8421d453d9c88e41" }, { "ID": "strip-ansi@6.0.1", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@6.0.1", "UID": "c198ab627f363813", "BOMRef": "78ca1336-9bc7-4c1f-8307-39dcdfb335fc" }, "Version": "6.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/strip-ansi-cjs/package.json", "Digest": "sha1:892d549c672831716abe655f087946d2644f2852" }, { "ID": "strip-ansi@6.0.1", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@6.0.1", "UID": "476ad1ec29df3ade", "BOMRef": "5c779753-6657-48ca-8334-7e1ec7e0b1fa" }, "Version": "6.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/strip-ansi/package.json", "Digest": "sha1:892d549c672831716abe655f087946d2644f2852" }, { "ID": "strip-ansi@7.1.2", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@7.1.2", "UID": "2229b69012139726", "BOMRef": "54a79b78-1cb4-4f31-a5c7-3870319ecce8" }, "Version": "7.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/strip-ansi/package.json", "Digest": "sha1:89245990c45fdb9b9621796ada7340fff927507a" }, { "ID": "strip-ansi@7.1.2", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@7.1.2", "UID": "81de12f25de67a6e", "BOMRef": "922aaab4-7a21-4556-8c97-056dd87ccacb" }, "Version": "7.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/strip-ansi/package.json", "Digest": "sha1:89245990c45fdb9b9621796ada7340fff927507a" }, { "ID": "supports-color@10.2.2", "Name": "supports-color", "Identifier": { "PURL": "pkg:npm/supports-color@10.2.2", "UID": "51177f6c7de6fdba", "BOMRef": "pkg:npm/supports-color@10.2.2" }, "Version": "10.2.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/supports-color/package.json", "Digest": "sha1:ba4fdcabc29b4cd931da15c51981f96731bd1b1e" }, { "ID": "tar@7.5.1", "Name": "tar", "Identifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "Version": "7.5.1", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "Digest": "sha1:52eb40b4302177cfc878a983347577a800995b8d" }, { "ID": "text-table@0.2.0", "Name": "text-table", "Identifier": { "PURL": "pkg:npm/text-table@0.2.0", "UID": "b2ac9b27897aa7b6", "BOMRef": "pkg:npm/text-table@0.2.0" }, "Version": "0.2.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/text-table/package.json", "Digest": "sha1:f63faee888ad065881dff49fc3e3de8ac57b2ae2" }, { "ID": "tiny-relative-date@2.0.2", "Name": "tiny-relative-date", "Identifier": { "PURL": "pkg:npm/tiny-relative-date@2.0.2", "UID": "9d91fe5a64dc4238", "BOMRef": "pkg:npm/tiny-relative-date@2.0.2" }, "Version": "2.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tiny-relative-date/package.json", "Digest": "sha1:120561f313d4901b1dc03b2594ecc45cfe2ad550" }, { "ID": "tinyglobby@0.2.15", "Name": "tinyglobby", "Identifier": { "PURL": "pkg:npm/tinyglobby@0.2.15", "UID": "944d81da042cbfee", "BOMRef": "pkg:npm/tinyglobby@0.2.15" }, "Version": "0.2.15", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tinyglobby/package.json", "Digest": "sha1:811354c5cc4a6c4f64899ed3fcd9f91a7a36e857" }, { "ID": "treeverse@3.0.0", "Name": "treeverse", "Identifier": { "PURL": "pkg:npm/treeverse@3.0.0", "UID": "9afe97f97a6d887d", "BOMRef": "pkg:npm/treeverse@3.0.0" }, "Version": "3.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/treeverse/package.json", "Digest": "sha1:83653dcf5b0c581f485febcbeb9152176632bed0" }, { "ID": "tuf-js@4.0.0", "Name": "tuf-js", "Identifier": { "PURL": "pkg:npm/tuf-js@4.0.0", "UID": "cbbab57be11d9ad0", "BOMRef": "pkg:npm/tuf-js@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tuf-js/package.json", "Digest": "sha1:74435c57b1bedbd99b226ec5e271676d2301e4a7" }, { "ID": "unique-filename@4.0.0", "Name": "unique-filename", "Identifier": { "PURL": "pkg:npm/unique-filename@4.0.0", "UID": "75ad0394cb25a6c5", "BOMRef": "pkg:npm/unique-filename@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/unique-filename/package.json", "Digest": "sha1:7ab7ef7fed369084e86d0800e1861115c3ff1bcd" }, { "ID": "unique-slug@5.0.0", "Name": "unique-slug", "Identifier": { "PURL": "pkg:npm/unique-slug@5.0.0", "UID": "5cc0e76e563534d6", "BOMRef": "pkg:npm/unique-slug@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/unique-slug/package.json", "Digest": "sha1:6bfb7b3e3ad92a208217828bc65a87369999d06f" }, { "ID": "util-deprecate@1.0.2", "Name": "util-deprecate", "Identifier": { "PURL": "pkg:npm/util-deprecate@1.0.2", "UID": "f0517da3f53f99d2", "BOMRef": "pkg:npm/util-deprecate@1.0.2" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/util-deprecate/package.json", "Digest": "sha1:2e69081e7bab6e09d3dcfd680716fdeea577431d" }, { "ID": "validate-npm-package-license@3.0.4", "Name": "validate-npm-package-license", "Identifier": { "PURL": "pkg:npm/validate-npm-package-license@3.0.4", "UID": "f8ea00ab94ee69d7", "BOMRef": "pkg:npm/validate-npm-package-license@3.0.4" }, "Version": "3.0.4", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/validate-npm-package-license/package.json", "Digest": "sha1:a938b65349aed1eb3852d98dc1a8431209faf99f" }, { "ID": "validate-npm-package-name@6.0.2", "Name": "validate-npm-package-name", "Identifier": { "PURL": "pkg:npm/validate-npm-package-name@6.0.2", "UID": "ac68cd825fca6a14", "BOMRef": "pkg:npm/validate-npm-package-name@6.0.2" }, "Version": "6.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/validate-npm-package-name/package.json", "Digest": "sha1:ed64b84be51c4d073f850831c7f9eaf3f0de6de6" }, { "ID": "walk-up-path@4.0.0", "Name": "walk-up-path", "Identifier": { "PURL": "pkg:npm/walk-up-path@4.0.0", "UID": "be2ce241dbd87b10", "BOMRef": "pkg:npm/walk-up-path@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/walk-up-path/package.json", "Digest": "sha1:5d1d771c0f7a60316cd0d039f38a9e6ce3b08b44" }, { "ID": "which@2.0.2", "Name": "which", "Identifier": { "PURL": "pkg:npm/which@2.0.2", "UID": "7db6861040bf27df", "BOMRef": "pkg:npm/which@2.0.2" }, "Version": "2.0.2", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/cross-spawn/node_modules/which/package.json", "Digest": "sha1:402837c5ba60f95b309957adc4657b8fe4fb1f05" }, { "ID": "which@5.0.0", "Name": "which", "Identifier": { "PURL": "pkg:npm/which@5.0.0", "UID": "bcc8bb2ad4565890", "BOMRef": "pkg:npm/which@5.0.0" }, "Version": "5.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/which/package.json", "Digest": "sha1:519f542417e96085fb8a1ad8d7a0f913155b5e56" }, { "ID": "wrap-ansi@7.0.0", "Name": "wrap-ansi", "Identifier": { "PURL": "pkg:npm/wrap-ansi@7.0.0", "UID": "c22161f5bb459d4d", "BOMRef": "pkg:npm/wrap-ansi@7.0.0" }, "Version": "7.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi-cjs/package.json", "Digest": "sha1:3442b7381f1b431861a986d8cdf144ced299db29" }, { "ID": "wrap-ansi@8.1.0", "Name": "wrap-ansi", "Identifier": { "PURL": "pkg:npm/wrap-ansi@8.1.0", "UID": "1d14c99e3c72a146", "BOMRef": "pkg:npm/wrap-ansi@8.1.0" }, "Version": "8.1.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/wrap-ansi/package.json", "Digest": "sha1:c14f366cb2c71b662f7edb2dcf7370a513fc641f" }, { "ID": "write-file-atomic@6.0.0", "Name": "write-file-atomic", "Identifier": { "PURL": "pkg:npm/write-file-atomic@6.0.0", "UID": "b4ed79354d0efe0", "BOMRef": "pkg:npm/write-file-atomic@6.0.0" }, "Version": "6.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/write-file-atomic/package.json", "Digest": "sha1:46f2584772ee8056a9e471fdec44718b3645c7f4" }, { "ID": "yallist@4.0.0", "Name": "yallist", "Identifier": { "PURL": "pkg:npm/yallist@4.0.0", "UID": "7812d8219ab32549", "BOMRef": "pkg:npm/yallist@4.0.0" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/yallist/package.json", "Digest": "sha1:d6a16b480cbd582f969b3d0ed89a157316268d10" }, { "ID": "yallist@5.0.0", "Name": "yallist", "Identifier": { "PURL": "pkg:npm/yallist@5.0.0", "UID": "73ebf07b8cc4c861", "BOMRef": "pkg:npm/yallist@5.0.0" }, "Version": "5.0.0", "Licenses": [ "BlueOak-1.0.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/node_modules/yallist/package.json", "Digest": "sha1:4eaebb818148fd3bcc27e1aef2d88497999f675e" } ], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2026-25547", "VendorIDs": [ "GHSA-7h2j-956f-4vf2" ], "PkgID": "@isaacs/brace-expansion@5.0.0", "PkgName": "@isaacs/brace-expansion", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@isaacs/brace-expansion/package.json", "PkgIdentifier": { "PURL": "pkg:npm/%40isaacs/brace-expansion@5.0.0", "UID": "5e247e096d36a4b2", "BOMRef": "pkg:npm/%40isaacs/brace-expansion@5.0.0" }, "InstalledVersion": "5.0.0", "FixedVersion": "5.0.1", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25547", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8c9fec9f313dde9febd2d029e81417290d3c5c72d5378920794ba43aea0cbe5a", "Title": "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion", "Description": "@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-25547", "https://github.com/isaacs/brace-expansion", "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2", "https://nvd.nist.gov/vuln/detail/CVE-2026-25547", "https://www.cve.org/CVERecord?id=CVE-2026-25547" ], "PublishedDate": "2026-02-04T22:16:00.813Z", "LastModifiedDate": "2026-02-05T14:57:20.563Z" }, { "VulnerabilityID": "CVE-2026-33750", "VendorIDs": [ "GHSA-f886-m6hf-6m8v" ], "PkgID": "brace-expansion@2.0.2", "PkgName": "brace-expansion", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/brace-expansion/package.json", "PkgIdentifier": { "PURL": "pkg:npm/brace-expansion@2.0.2", "UID": "535ea1a6cc3b3b4b", "BOMRef": "pkg:npm/brace-expansion@2.0.2" }, "InstalledVersion": "2.0.2", "FixedVersion": "5.0.5, 3.0.2, 2.0.3, 1.1.13", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33750", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:bb96fe6940d56fdb797dc6566d5087686f0466d17fe4ea325b0d64c25245a237", "Title": "brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern", "Description": "The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33750", "https://github.com/juliangruber/brace-expansion", "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113", "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184", "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5", "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2", "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a", "https://github.com/juliangruber/brace-expansion/issues/98", "https://github.com/juliangruber/brace-expansion/pull/95", "https://github.com/juliangruber/brace-expansion/pull/96", "https://github.com/juliangruber/brace-expansion/pull/97", "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v", "https://nvd.nist.gov/vuln/detail/CVE-2026-33750", "https://www.cve.org/CVERecord?id=CVE-2026-33750" ], "PublishedDate": "2026-03-27T15:16:57.297Z", "LastModifiedDate": "2026-03-30T13:26:29.793Z" }, { "VulnerabilityID": "CVE-2026-24001", "VendorIDs": [ "GHSA-73rr-hh4g-fpgx" ], "PkgID": "diff@8.0.2", "PkgName": "diff", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/diff/package.json", "PkgIdentifier": { "PURL": "pkg:npm/diff@8.0.2", "UID": "7bf48c71b3c5bd16", "BOMRef": "pkg:npm/diff@8.0.2" }, "InstalledVersion": "8.0.2", "FixedVersion": "8.0.3, 5.2.2, 4.0.4, 3.5.1", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24001", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b662062a3b909e87aa664ee2c4c2de0aecf19512c1c2e39b1fa53bd4152df149", "Title": "jsdiff: denial of service vulnerability in parsePatch and applyPatch", "Description": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`.", "Severity": "LOW", "CweIDs": [ "CWE-400", "CWE-1333" ], "VendorSeverity": { "ghsa": 1, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-24001", "https://github.com/kpdecker/jsdiff", "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "https://github.com/kpdecker/jsdiff/issues/653", "https://github.com/kpdecker/jsdiff/pull/649", "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "https://nvd.nist.gov/vuln/detail/CVE-2026-24001", "https://www.cve.org/CVERecord?id=CVE-2026-24001" ], "PublishedDate": "2026-01-22T03:15:47.627Z", "LastModifiedDate": "2026-03-04T15:23:41.347Z" }, { "VulnerabilityID": "CVE-2025-64756", "VendorIDs": [ "GHSA-5j98-mcp5-4vw2" ], "PkgID": "glob@10.4.5", "PkgName": "glob", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob/package.json", "PkgIdentifier": { "PURL": "pkg:npm/glob@10.4.5", "UID": "6ea054fc5de229e9", "BOMRef": "pkg:npm/glob@10.4.5" }, "InstalledVersion": "10.4.5", "FixedVersion": "11.1.0, 10.5.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-64756", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b7b41c3b0456a40cdd0de150b740a0ce042236db95fff2cb113efbb67a4a0687", "Title": "glob: glob: Command Injection Vulnerability via Malicious Filenames", "Description": "Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c \u003ccommand\u003e \u003cpatterns\u003e are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.", "Severity": "HIGH", "CweIDs": [ "CWE-78" ], "VendorSeverity": { "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-64756", "https://github.com/isaacs/node-glob", "https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f", "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146", "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2", "https://nvd.nist.gov/vuln/detail/CVE-2025-64756", "https://www.cve.org/CVERecord?id=CVE-2025-64756" ], "PublishedDate": "2025-11-17T18:15:58.27Z", "LastModifiedDate": "2025-12-02T19:34:43.27Z" }, { "VulnerabilityID": "CVE-2025-64756", "VendorIDs": [ "GHSA-5j98-mcp5-4vw2" ], "PkgID": "glob@11.0.3", "PkgName": "glob", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/glob/package.json", "PkgIdentifier": { "PURL": "pkg:npm/glob@11.0.3", "UID": "6b022e71675d53b8", "BOMRef": "pkg:npm/glob@11.0.3" }, "InstalledVersion": "11.0.3", "FixedVersion": "11.1.0, 10.5.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-64756", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:bae1cfcb914b94c6707f53d79af06d7cf1f7498045f888692ccc98776f9b7ab5", "Title": "glob: glob: Command Injection Vulnerability via Malicious Filenames", "Description": "Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c \u003ccommand\u003e \u003cpatterns\u003e are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.", "Severity": "HIGH", "CweIDs": [ "CWE-78" ], "VendorSeverity": { "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-64756", "https://github.com/isaacs/node-glob", "https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f", "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146", "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2", "https://nvd.nist.gov/vuln/detail/CVE-2025-64756", "https://www.cve.org/CVERecord?id=CVE-2025-64756" ], "PublishedDate": "2025-11-17T18:15:58.27Z", "LastModifiedDate": "2025-12-02T19:34:43.27Z" }, { "VulnerabilityID": "CVE-2026-26996", "VendorIDs": [ "GHSA-3ppc-4f35-3m26" ], "PkgID": "minimatch@10.0.3", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@10.0.3", "UID": "644cae48932df74", "BOMRef": "pkg:npm/minimatch@10.0.3" }, "InstalledVersion": "10.0.3", "FixedVersion": "10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26996", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:3ef77044ef1ebb43807fc4d40f34b89a4a1f630ff2e90692c96c2396de7b8204", "Title": "minimatch: minimatch: Denial of Service via specially crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26996", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", "https://nvd.nist.gov/vuln/detail/CVE-2026-26996", "https://www.cve.org/CVERecord?id=CVE-2026-26996" ], "PublishedDate": "2026-02-20T03:16:01.62Z", "LastModifiedDate": "2026-03-06T21:32:10.65Z" }, { "VulnerabilityID": "CVE-2026-27903", "VendorIDs": [ "GHSA-7r86-cg39-jmmj" ], "PkgID": "minimatch@10.0.3", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@10.0.3", "UID": "644cae48932df74", "BOMRef": "pkg:npm/minimatch@10.0.3" }, "InstalledVersion": "10.0.3", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27903", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e3a059c7f994f4fc2d7980a6e36460c4e4c192ba3705c8a84f65eed60be2fc38", "Title": "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-407" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27903", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", "https://nvd.nist.gov/vuln/detail/CVE-2026-27903", "https://www.cve.org/CVERecord?id=CVE-2026-27903" ], "PublishedDate": "2026-02-26T02:16:21.353Z", "LastModifiedDate": "2026-02-27T17:21:22.37Z" }, { "VulnerabilityID": "CVE-2026-27904", "VendorIDs": [ "GHSA-23c5-xmqv-rm74" ], "PkgID": "minimatch@10.0.3", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@10.0.3", "UID": "644cae48932df74", "BOMRef": "pkg:npm/minimatch@10.0.3" }, "InstalledVersion": "10.0.3", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27904", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:de88e8f014e0341fb8850f0074b4cddc03a308b9fe2abe1c7ed512590bf0cfe5", "Title": "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27904", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", "https://nvd.nist.gov/vuln/detail/CVE-2026-27904", "https://www.cve.org/CVERecord?id=CVE-2026-27904" ], "PublishedDate": "2026-02-26T02:16:21.76Z", "LastModifiedDate": "2026-02-27T17:16:23.773Z" }, { "VulnerabilityID": "CVE-2026-26996", "VendorIDs": [ "GHSA-3ppc-4f35-3m26" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/models/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "120f9e0551bc725e", "BOMRef": "9bf7da2c-58d4-4a91-a83a-157984d5bc3f" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26996", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:4df08e247b98ff0a129d69ca18fbecb5c041eea6d01ac05d4c75b5de6eb22ed6", "Title": "minimatch: minimatch: Denial of Service via specially crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26996", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", "https://nvd.nist.gov/vuln/detail/CVE-2026-26996", "https://www.cve.org/CVERecord?id=CVE-2026-26996" ], "PublishedDate": "2026-02-20T03:16:01.62Z", "LastModifiedDate": "2026-03-06T21:32:10.65Z" }, { "VulnerabilityID": "CVE-2026-26996", "VendorIDs": [ "GHSA-3ppc-4f35-3m26" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "f8c59c6ffd80bf78", "BOMRef": "282b82d8-42d7-4f45-8bfb-b8d160c7e92b" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26996", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:4df08e247b98ff0a129d69ca18fbecb5c041eea6d01ac05d4c75b5de6eb22ed6", "Title": "minimatch: minimatch: Denial of Service via specially crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26996", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", "https://nvd.nist.gov/vuln/detail/CVE-2026-26996", "https://www.cve.org/CVERecord?id=CVE-2026-26996" ], "PublishedDate": "2026-02-20T03:16:01.62Z", "LastModifiedDate": "2026-03-06T21:32:10.65Z" }, { "VulnerabilityID": "CVE-2026-27903", "VendorIDs": [ "GHSA-7r86-cg39-jmmj" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/models/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "120f9e0551bc725e", "BOMRef": "9bf7da2c-58d4-4a91-a83a-157984d5bc3f" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27903", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:22a353d99994d52ec4014598361d191bc910dd717159ef5460b4c5feda536b4e", "Title": "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-407" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27903", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", "https://nvd.nist.gov/vuln/detail/CVE-2026-27903", "https://www.cve.org/CVERecord?id=CVE-2026-27903" ], "PublishedDate": "2026-02-26T02:16:21.353Z", "LastModifiedDate": "2026-02-27T17:21:22.37Z" }, { "VulnerabilityID": "CVE-2026-27903", "VendorIDs": [ "GHSA-7r86-cg39-jmmj" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "f8c59c6ffd80bf78", "BOMRef": "282b82d8-42d7-4f45-8bfb-b8d160c7e92b" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27903", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:22a353d99994d52ec4014598361d191bc910dd717159ef5460b4c5feda536b4e", "Title": "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-407" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27903", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", "https://nvd.nist.gov/vuln/detail/CVE-2026-27903", "https://www.cve.org/CVERecord?id=CVE-2026-27903" ], "PublishedDate": "2026-02-26T02:16:21.353Z", "LastModifiedDate": "2026-02-27T17:21:22.37Z" }, { "VulnerabilityID": "CVE-2026-27904", "VendorIDs": [ "GHSA-23c5-xmqv-rm74" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/@tufjs/models/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "120f9e0551bc725e", "BOMRef": "9bf7da2c-58d4-4a91-a83a-157984d5bc3f" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27904", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:f7712b66150c2da11f017da8c8581d69ea0c522439dabde11c46cbbe01244389", "Title": "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27904", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", "https://nvd.nist.gov/vuln/detail/CVE-2026-27904", "https://www.cve.org/CVERecord?id=CVE-2026-27904" ], "PublishedDate": "2026-02-26T02:16:21.76Z", "LastModifiedDate": "2026-02-27T17:16:23.773Z" }, { "VulnerabilityID": "CVE-2026-27904", "VendorIDs": [ "GHSA-23c5-xmqv-rm74" ], "PkgID": "minimatch@9.0.5", "PkgName": "minimatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/node-gyp/node_modules/minimatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/minimatch@9.0.5", "UID": "f8c59c6ffd80bf78", "BOMRef": "282b82d8-42d7-4f45-8bfb-b8d160c7e92b" }, "InstalledVersion": "9.0.5", "FixedVersion": "10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27904", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:f7712b66150c2da11f017da8c8581d69ea0c522439dabde11c46cbbe01244389", "Title": "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions", "Description": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27904", "https://github.com/isaacs/minimatch", "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", "https://nvd.nist.gov/vuln/detail/CVE-2026-27904", "https://www.cve.org/CVERecord?id=CVE-2026-27904" ], "PublishedDate": "2026-02-26T02:16:21.76Z", "LastModifiedDate": "2026-02-27T17:16:23.773Z" }, { "VulnerabilityID": "CVE-2026-33671", "VendorIDs": [ "GHSA-c2c7-rcm5-vvqj" ], "PkgID": "picomatch@4.0.3", "PkgName": "picomatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/picomatch@4.0.3", "UID": "56cb1fc33efbea2b", "BOMRef": "pkg:npm/picomatch@4.0.3" }, "InstalledVersion": "4.0.3", "FixedVersion": "4.0.4, 3.0.2, 2.3.2", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33671", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:207ad269915973ca2f23d010cda47be6c0642612083c33e920cc47d603f2821d", "Title": "picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns", "Description": "Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`. Possible mitigations include disabling extglob support for untrusted patterns by using `noextglob: true`, rejecting or sanitizing patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`, enforcing strict allowlists for accepted pattern syntax, running matching in an isolated worker or separate process with time and resource limits, and applying application-level request throttling and input validation for any endpoint that accepts glob patterns.", "Severity": "HIGH", "CweIDs": [ "CWE-1333" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33671", "https://github.com/micromatch/picomatch", "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d", "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj", "https://nvd.nist.gov/vuln/detail/CVE-2026-33671", "https://www.cve.org/CVERecord?id=CVE-2026-33671" ], "PublishedDate": "2026-03-26T22:16:30.21Z", "LastModifiedDate": "2026-04-01T13:45:11.687Z" }, { "VulnerabilityID": "CVE-2026-33672", "VendorIDs": [ "GHSA-3v7f-55p6-f55p" ], "PkgID": "picomatch@4.0.3", "PkgName": "picomatch", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch/package.json", "PkgIdentifier": { "PURL": "pkg:npm/picomatch@4.0.3", "UID": "56cb1fc33efbea2b", "BOMRef": "pkg:npm/picomatch@4.0.3" }, "InstalledVersion": "4.0.3", "FixedVersion": "4.0.4, 3.0.2, 2.3.2", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-33672", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:2f6677f54143717bdb7617fbb22baa2470965a5f811541d2db8e4696d970e0cc", "Title": "picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions", "Description": "Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`; avoiding the use of POSIX bracket expressions if user input is involved; and manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1321" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-33672", "https://github.com/micromatch/picomatch", "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903", "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p", "https://nvd.nist.gov/vuln/detail/CVE-2026-33672", "https://www.cve.org/CVERecord?id=CVE-2026-33672" ], "PublishedDate": "2026-03-26T22:16:30.387Z", "LastModifiedDate": "2026-04-01T13:44:53.397Z" }, { "VulnerabilityID": "CVE-2026-23745", "VendorIDs": [ "GHSA-8qq5-rm4j-mr97" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23745", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0dea88a545e0d4bde2da8018be7bc80b7499d8daf4c4ca9bd0829609f916bcd8", "Title": "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives", "Description": "node-tar is a Tar for Node.js. The node-tar library (\u003c= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "V3Score": 8.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-23745", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", "https://www.cve.org/CVERecord?id=CVE-2026-23745" ], "PublishedDate": "2026-01-16T22:16:26.83Z", "LastModifiedDate": "2026-02-18T16:20:07.823Z" }, { "VulnerabilityID": "CVE-2026-23950", "VendorIDs": [ "GHSA-r6q2-hw4h-h46w" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-23950", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:afe62403e307bcb4c97b9c51ae51daeec3433773d8036f2a1b568b51af3d7ede", "Title": "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition", "Description": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.", "Severity": "HIGH", "CweIDs": [ "CWE-176", "CWE-352", "CWE-367" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "V3Score": 8.8 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", "V3Score": 8.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-23950", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6", "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w", "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", "https://www.cve.org/CVERecord?id=CVE-2026-23950" ], "PublishedDate": "2026-01-20T01:15:57.87Z", "LastModifiedDate": "2026-02-18T15:50:29.91Z" }, { "VulnerabilityID": "CVE-2026-24842", "VendorIDs": [ "GHSA-34x7-hfp2-rc4v" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.7", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24842", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:285fb464186a1e4cafbe7860f9c98718f7ce7f25615b20164d911b2c55c6850f", "Title": "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check", "Description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.", "Severity": "HIGH", "CweIDs": [ "CWE-22", "CWE-59" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "V3Score": 8.2 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "V3Score": 8.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-24842", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", "https://www.cve.org/CVERecord?id=CVE-2026-24842" ], "PublishedDate": "2026-01-28T01:16:14.947Z", "LastModifiedDate": "2026-02-02T14:30:10.89Z" }, { "VulnerabilityID": "CVE-2026-26960", "VendorIDs": [ "GHSA-83g3-92jg-28cx" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.8", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26960", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8f743528f119fa688684c2f972891edbbbd6fe7a3c7e82e9a60686b43a5e8966", "Title": "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation", "Description": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "V3Score": 7.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-26960", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384", "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f", "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx", "https://nvd.nist.gov/vuln/detail/CVE-2026-26960", "https://www.cve.org/CVERecord?id=CVE-2026-26960" ], "PublishedDate": "2026-02-20T02:16:53.883Z", "LastModifiedDate": "2026-02-20T19:24:16.537Z" }, { "VulnerabilityID": "CVE-2026-29786", "VendorIDs": [ "GHSA-qffp-2rhf-9h96" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.10", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29786", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:dd689610e9bf26cc1d7f622c293dad96dad8b1ed76a595ef4ea572395296e97e", "Title": "node-tar: hardlink path traversal via drive-relative linkpath", "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.", "Severity": "HIGH", "CweIDs": [ "CWE-22", "CWE-59" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "V3Score": 6.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "V3Score": 8.6 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-29786", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", "https://nvd.nist.gov/vuln/detail/CVE-2026-29786", "https://www.cve.org/CVERecord?id=CVE-2026-29786" ], "PublishedDate": "2026-03-07T16:15:55.587Z", "LastModifiedDate": "2026-03-11T21:50:01.91Z" }, { "VulnerabilityID": "CVE-2026-31802", "VendorIDs": [ "GHSA-9ppj-qmqm-q256" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.11", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-31802", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:ca72230b218b64769b649eb6039231d866eeb4dd1ea37afb9a46958e72ee5744", "Title": "tar: tar: File overwrite via drive-relative symlink traversal", "Description": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "ghsa": 3, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 6.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-31802", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad", "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", "https://nvd.nist.gov/vuln/detail/CVE-2026-31802", "https://www.cve.org/CVERecord?id=CVE-2026-31802" ], "PublishedDate": "2026-03-10T07:44:58.02Z", "LastModifiedDate": "2026-03-18T18:13:34.703Z" }, { "VulnerabilityID": "CVE-2025-64118", "VendorIDs": [ "GHSA-29xp-372q-xqph" ], "PkgID": "tar@7.5.1", "PkgName": "tar", "PkgPath": "usr/lib/python3.13/site-packages/nodejs_wheel/lib/node_modules/npm/node_modules/tar/package.json", "PkgIdentifier": { "PURL": "pkg:npm/tar@7.5.1", "UID": "58818370bb942527", "BOMRef": "pkg:npm/tar@7.5.1" }, "InstalledVersion": "7.5.1", "FixedVersion": "7.5.2", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-64118", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:969265184e78ae941aaecb6a19cd16f57efd033c143f8844bd951387ae1e6b4a", "Title": "node-tar: tar: node-tar: Information disclosure via reading a truncated tar file", "Description": "node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.", "Severity": "MEDIUM", "CweIDs": [ "CWE-362", "CWE-367" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H", "V40Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "V3Score": 4.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-64118", "https://github.com/isaacs/node-tar", "https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d", "https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9", "https://github.com/isaacs/node-tar/issues/445", "https://github.com/isaacs/node-tar/pull/446", "https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph", "https://nvd.nist.gov/vuln/detail/CVE-2025-64118", "https://www.cve.org/CVERecord?id=CVE-2025-64118" ], "PublishedDate": "2025-10-30T18:15:33.673Z", "LastModifiedDate": "2025-11-04T15:41:56.843Z" } ] }, { "Target": "Python", "Class": "lang-pkgs", "Type": "python-pkg", "Packages": [ { "ID": "APScheduler@3.10.4", "Name": "APScheduler", "Identifier": { "PURL": "pkg:pypi/apscheduler@3.10.4", "UID": "b91e157973d047ff", "BOMRef": "pkg:pypi/apscheduler@3.10.4" }, "Version": "3.10.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/APScheduler-3.10.4.dist-info/METADATA", "Digest": "sha1:3c645283c329748c21fee30a0a21ea492988d52f" }, { "ID": "Deprecated@1.3.1", "Name": "Deprecated", "Identifier": { "PURL": "pkg:pypi/deprecated@1.3.1", "UID": "c1993ced18886379", "BOMRef": "pkg:pypi/deprecated@1.3.1" }, "Version": "1.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/deprecated-1.3.1.dist-info/METADATA", "Digest": "sha1:109990e0106e9872d6bf3486d1fa574730d1c717" }, { "ID": "Jinja2@3.1.6", "Name": "Jinja2", "Identifier": { "PURL": "pkg:pypi/jinja2@3.1.6", "UID": "1dda9f5335dcc5b2", "BOMRef": "pkg:pypi/jinja2@3.1.6" }, "Version": "3.1.6", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jinja2-3.1.6.dist-info/METADATA", "Digest": "sha1:01c4dcfd579104dd8f5b937e1511e9371b4367d3" }, { "ID": "MarkupSafe@3.0.3", "Name": "MarkupSafe", "Identifier": { "PURL": "pkg:pypi/markupsafe@3.0.3", "UID": "728b2647b3c30044", "BOMRef": "pkg:pypi/markupsafe@3.0.3" }, "Version": "3.0.3", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/markupsafe-3.0.3.dist-info/METADATA", "Digest": "sha1:8ada20dd783a9961d87701f2cd25b0880f23993e" }, { "ID": "PyJWT@2.10.1", "Name": "PyJWT", "Identifier": { "PURL": "pkg:pypi/pyjwt@2.10.1", "UID": "ac325a6454c21e13", "BOMRef": "pkg:pypi/pyjwt@2.10.1" }, "Version": "2.10.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/PyJWT-2.10.1.dist-info/METADATA", "Digest": "sha1:9b853963468881a7cc9764160e5e44401f888dae" }, { "ID": "PyNaCl@1.6.2", "Name": "PyNaCl", "Identifier": { "PURL": "pkg:pypi/pynacl@1.6.2", "UID": "e280e6d89d8712cd", "BOMRef": "pkg:pypi/pynacl@1.6.2" }, "Version": "1.6.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pynacl-1.6.2.dist-info/METADATA", "Digest": "sha1:51eed4f0f5e4d39bc532c4157c5a3982308b842c" }, { "ID": "PyYAML@6.0.2", "Name": "PyYAML", "Identifier": { "PURL": "pkg:pypi/pyyaml@6.0.2", "UID": "39f5ab1a98c2fb", "BOMRef": "pkg:pypi/pyyaml@6.0.2" }, "Version": "6.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/PyYAML-6.0.2.dist-info/METADATA", "Digest": "sha1:019874e22eba3861f59a9ab72f17f58e8b504cf4" }, { "ID": "Pygments@2.19.2", "Name": "Pygments", "Identifier": { "PURL": "pkg:pypi/pygments@2.19.2", "UID": "3193c3af3c7f6855", "BOMRef": "pkg:pypi/pygments@2.19.2" }, "Version": "2.19.2", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pygments-2.19.2.dist-info/METADATA", "Digest": "sha1:afee6b8cae57db32719d0559389750d7923f0605" }, { "ID": "Werkzeug@3.1.5", "Name": "Werkzeug", "Identifier": { "PURL": "pkg:pypi/werkzeug@3.1.5", "UID": "939d3e12cfb033cb", "BOMRef": "pkg:pypi/werkzeug@3.1.5" }, "Version": "3.1.5", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/werkzeug-3.1.5.dist-info/METADATA", "Digest": "sha1:5a19d56ed83b00d25d66542b1f3406ffb8dc4bbd" }, { "ID": "aioboto3@13.4.0", "Name": "aioboto3", "Identifier": { "PURL": "pkg:pypi/aioboto3@13.4.0", "UID": "730b9e3ad93d37bd", "BOMRef": "pkg:pypi/aioboto3@13.4.0" }, "Version": "13.4.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aioboto3-13.4.0.dist-info/METADATA", "Digest": "sha1:d800f84717eb9fa8a3e38625b513c1cfa6dc463b" }, { "ID": "aiobotocore@2.18.0", "Name": "aiobotocore", "Identifier": { "PURL": "pkg:pypi/aiobotocore@2.18.0", "UID": "cb8394a5897f9dd0", "BOMRef": "pkg:pypi/aiobotocore@2.18.0" }, "Version": "2.18.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aiobotocore-2.18.0.dist-info/METADATA", "Digest": "sha1:f5d91fb6ae87689b6baa64edc4fadb69b99767a5" }, { "ID": "aiofiles@24.1.0", "Name": "aiofiles", "Identifier": { "PURL": "pkg:pypi/aiofiles@24.1.0", "UID": "66aaa01ad37302f5", "BOMRef": "pkg:pypi/aiofiles@24.1.0" }, "Version": "24.1.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/aiofiles-24.1.0.dist-info/METADATA", "Digest": "sha1:1fee4c4fef706c9737b9ce8e245bbd8dae4e4d16" }, { "ID": "aiohappyeyeballs@2.6.1", "Name": "aiohappyeyeballs", "Identifier": { "PURL": "pkg:pypi/aiohappyeyeballs@2.6.1", "UID": "4fbf02c6803a208a", "BOMRef": "pkg:pypi/aiohappyeyeballs@2.6.1" }, "Version": "2.6.1", "Licenses": [ "Python-Software-Foundation-License" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aiohappyeyeballs-2.6.1.dist-info/METADATA", "Digest": "sha1:01343f4e8b1584084c09e049bd83675272d9e757" }, { "ID": "aiohttp@3.13.3", "Name": "aiohttp", "Identifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "Version": "3.13.3", "Licenses": [ "Apache-2.0 AND MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "Digest": "sha1:63d65762ed8ded0c65362a1b04e4245d6ab9f170" }, { "ID": "aioitertools@0.13.0", "Name": "aioitertools", "Identifier": { "PURL": "pkg:pypi/aioitertools@0.13.0", "UID": "a679257fd52b16e9", "BOMRef": "pkg:pypi/aioitertools@0.13.0" }, "Version": "0.13.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aioitertools-0.13.0.dist-info/METADATA", "Digest": "sha1:110d571c90f132b20fc32b46c28c3c95b1c7aa94" }, { "ID": "aiosignal@1.4.0", "Name": "aiosignal", "Identifier": { "PURL": "pkg:pypi/aiosignal@1.4.0", "UID": "fde47d9ea2c3d854", "BOMRef": "pkg:pypi/aiosignal@1.4.0" }, "Version": "1.4.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/aiosignal-1.4.0.dist-info/METADATA", "Digest": "sha1:8752e41cfbbc924405ef6bf9a9ff761cb9a6dbe3" }, { "ID": "annotated-doc@0.0.4", "Name": "annotated-doc", "Identifier": { "PURL": "pkg:pypi/annotated-doc@0.0.4", "UID": "6000e3c1230cb4d0", "BOMRef": "pkg:pypi/annotated-doc@0.0.4" }, "Version": "0.0.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/annotated_doc-0.0.4.dist-info/METADATA", "Digest": "sha1:24d32962e4742a901653d9fe5563c40221ddc6fa" }, { "ID": "annotated-types@0.7.0", "Name": "annotated-types", "Identifier": { "PURL": "pkg:pypi/annotated-types@0.7.0", "UID": "6c4ad8cbe4dfd2fe", "BOMRef": "pkg:pypi/annotated-types@0.7.0" }, "Version": "0.7.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/annotated_types-0.7.0.dist-info/METADATA", "Digest": "sha1:b11011181822ac765c9f66c8aa42c26952de6a96" }, { "ID": "anthropic@0.54.0", "Name": "anthropic", "Identifier": { "PURL": "pkg:pypi/anthropic@0.54.0", "UID": "95ae781281793c41", "BOMRef": "pkg:pypi/anthropic@0.54.0" }, "Version": "0.54.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/anthropic-0.54.0.dist-info/METADATA", "Digest": "sha1:7f700d1b4730958f468871fb28a2f4d416f8ed20" }, { "ID": "anyio@4.8.0", "Name": "anyio", "Identifier": { "PURL": "pkg:pypi/anyio@4.8.0", "UID": "54c1e2e4532730e1", "BOMRef": "pkg:pypi/anyio@4.8.0" }, "Version": "4.8.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/anyio-4.8.0.dist-info/METADATA", "Digest": "sha1:12b3a6bb5ce68bac1fe5abd01d80d367c0688db2" }, { "ID": "async-generator@1.10", "Name": "async-generator", "Identifier": { "PURL": "pkg:pypi/async-generator@1.10", "UID": "94078b2b0a19d5e0", "BOMRef": "pkg:pypi/async-generator@1.10" }, "Version": "1.10", "Licenses": [ "MIT", "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/async_generator-1.10.dist-info/METADATA", "Digest": "sha1:f4fa19d3f3bef3e3604acc54b00e8b8c50ad31c0" }, { "ID": "attrs@25.4.0", "Name": "attrs", "Identifier": { "PURL": "pkg:pypi/attrs@25.4.0", "UID": "50218a6a3e203a45", "BOMRef": "pkg:pypi/attrs@25.4.0" }, "Version": "25.4.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/attrs-25.4.0.dist-info/METADATA", "Digest": "sha1:9e593ab8f12d14d819a81ca9c41b9df0b4864a59" }, { "ID": "aurelio-sdk@0.0.19", "Name": "aurelio-sdk", "Identifier": { "PURL": "pkg:pypi/aurelio-sdk@0.0.19", "UID": "83242dfb95ee2676", "BOMRef": "pkg:pypi/aurelio-sdk@0.0.19" }, "Version": "0.0.19", "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/aurelio_sdk-0.0.19.dist-info/METADATA", "Digest": "sha1:bfe4c91a1633b0aa53f4fd1c5bd9f0e22eedfb7a" }, { "ID": "azure-ai-contentsafety@1.0.0", "Name": "azure-ai-contentsafety", "Identifier": { "PURL": "pkg:pypi/azure-ai-contentsafety@1.0.0", "UID": "a959081f33384bb3", "BOMRef": "pkg:pypi/azure-ai-contentsafety@1.0.0" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_ai_contentsafety-1.0.0.dist-info/METADATA", "Digest": "sha1:45cc94c9f0a17e313b00a13f7b0f9682654e0feb" }, { "ID": "azure-core@1.38.0", "Name": "azure-core", "Identifier": { "PURL": "pkg:pypi/azure-core@1.38.0", "UID": "7dafb5ac32f0a74b", "BOMRef": "pkg:pypi/azure-core@1.38.0" }, "Version": "1.38.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_core-1.38.0.dist-info/METADATA", "Digest": "sha1:e238bbd306f50f93ae1a5fa41184f3425c9c266b" }, { "ID": "azure-identity@1.16.1", "Name": "azure-identity", "Identifier": { "PURL": "pkg:pypi/azure-identity@1.16.1", "UID": "e1fd9583f5831612", "BOMRef": "pkg:pypi/azure-identity@1.16.1" }, "Version": "1.16.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_identity-1.16.1.dist-info/METADATA", "Digest": "sha1:68fdde1864f6c107e1306f736d9b5fefa2acf3a1" }, { "ID": "azure-keyvault@4.2.0", "Name": "azure-keyvault", "Identifier": { "PURL": "pkg:pypi/azure-keyvault@4.2.0", "UID": "308572c5f3499b0", "BOMRef": "pkg:pypi/azure-keyvault@4.2.0" }, "Version": "4.2.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_keyvault-4.2.0.dist-info/METADATA", "Digest": "sha1:5da0d813613844740604dfa0c820222a54853a3a" }, { "ID": "azure-keyvault-certificates@4.10.0", "Name": "azure-keyvault-certificates", "Identifier": { "PURL": "pkg:pypi/azure-keyvault-certificates@4.10.0", "UID": "b0b399c067d90237", "BOMRef": "pkg:pypi/azure-keyvault-certificates@4.10.0" }, "Version": "4.10.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_keyvault_certificates-4.10.0.dist-info/METADATA", "Digest": "sha1:8227ff63178e8f5a07e66f234d8c296b189f855b" }, { "ID": "azure-keyvault-keys@4.11.0", "Name": "azure-keyvault-keys", "Identifier": { "PURL": "pkg:pypi/azure-keyvault-keys@4.11.0", "UID": "2ed38bd3faf47443", "BOMRef": "pkg:pypi/azure-keyvault-keys@4.11.0" }, "Version": "4.11.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_keyvault_keys-4.11.0.dist-info/METADATA", "Digest": "sha1:61e25dca1cb98e731337b756f4e1bb129413c496" }, { "ID": "azure-keyvault-secrets@4.10.0", "Name": "azure-keyvault-secrets", "Identifier": { "PURL": "pkg:pypi/azure-keyvault-secrets@4.10.0", "UID": "b27b6406ca6032c9", "BOMRef": "pkg:pypi/azure-keyvault-secrets@4.10.0" }, "Version": "4.10.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_keyvault_secrets-4.10.0.dist-info/METADATA", "Digest": "sha1:5a8061494c1c50c49fa47eace47c117fe193a0b4" }, { "ID": "azure-storage-blob@12.28.0", "Name": "azure-storage-blob", "Identifier": { "PURL": "pkg:pypi/azure-storage-blob@12.28.0", "UID": "bd278d72cadd4f90", "BOMRef": "pkg:pypi/azure-storage-blob@12.28.0" }, "Version": "12.28.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_storage_blob-12.28.0.dist-info/METADATA", "Digest": "sha1:20e7abbd2536ed3374cf440f144cf9ca5c0fb098" }, { "ID": "azure-storage-file-datalake@12.20.0", "Name": "azure-storage-file-datalake", "Identifier": { "PURL": "pkg:pypi/azure-storage-file-datalake@12.20.0", "UID": "cfbdf689371cf0c7", "BOMRef": "pkg:pypi/azure-storage-file-datalake@12.20.0" }, "Version": "12.20.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/azure_storage_file_datalake-12.20.0.dist-info/METADATA", "Digest": "sha1:cc8ebe204539019788e04a26f2510c35575928c2" }, { "ID": "backoff@2.2.1", "Name": "backoff", "Identifier": { "PURL": "pkg:pypi/backoff@2.2.1", "UID": "a3a453f034c9312a", "BOMRef": "pkg:pypi/backoff@2.2.1" }, "Version": "2.2.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/backoff-2.2.1.dist-info/METADATA", "Digest": "sha1:ea8b96e2947c9fed16b9c4075c30113fe09fac98" }, { "ID": "boto3@1.36.0", "Name": "boto3", "Identifier": { "PURL": "pkg:pypi/boto3@1.36.0", "UID": "eeb0a91e63bceabc", "BOMRef": "pkg:pypi/boto3@1.36.0" }, "Version": "1.36.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/boto3-1.36.0.dist-info/METADATA", "Digest": "sha1:c9801a51e7808f6eb5cd216b9ca5e18f5c9b2ff8" }, { "ID": "botocore@1.36.1", "Name": "botocore", "Identifier": { "PURL": "pkg:pypi/botocore@1.36.1", "UID": "d36d8507f2f38ee2", "BOMRef": "pkg:pypi/botocore@1.36.1" }, "Version": "1.36.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/botocore-1.36.1.dist-info/METADATA", "Digest": "sha1:c6bf2bd5da103f5e1df9cd6c872d3903b6df4cc4" }, { "ID": "bytecode@0.17.0", "Name": "bytecode", "Identifier": { "PURL": "pkg:pypi/bytecode@0.17.0", "UID": "bdd8d746de7735bc", "BOMRef": "pkg:pypi/bytecode@0.17.0" }, "Version": "0.17.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/bytecode-0.17.0.dist-info/METADATA", "Digest": "sha1:65fc4772a46510a0f6186e951e866f5e306a8122" }, { "ID": "certifi@2026.1.4", "Name": "certifi", "Identifier": { "PURL": "pkg:pypi/certifi@2026.1.4", "UID": "9a1feaf0cbef9ed9", "BOMRef": "pkg:pypi/certifi@2026.1.4" }, "Version": "2026.1.4", "Licenses": [ "MPL-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/certifi-2026.1.4.dist-info/METADATA", "Digest": "sha1:fac3d36143e733dcfc1d3255e3321dd98f4376cc" }, { "ID": "cffi@2.0.0", "Name": "cffi", "Identifier": { "PURL": "pkg:pypi/cffi@2.0.0", "UID": "9b078724b9a49986", "BOMRef": "pkg:pypi/cffi@2.0.0" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/cffi-2.0.0.dist-info/METADATA", "Digest": "sha1:87e9c9d276c4f4c31f5a314d6a5472f45655674c" }, { "ID": "charset-normalizer@3.4.4", "Name": "charset-normalizer", "Identifier": { "PURL": "pkg:pypi/charset-normalizer@3.4.4", "UID": "695d746e27ff9579", "BOMRef": "pkg:pypi/charset-normalizer@3.4.4" }, "Version": "3.4.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/charset_normalizer-3.4.4.dist-info/METADATA", "Digest": "sha1:b4512da50486c7909da3992f8d8b67052b9fc03e" }, { "ID": "click@8.1.7", "Name": "click", "Identifier": { "PURL": "pkg:pypi/click@8.1.7", "UID": "59912cb300bd50d5", "BOMRef": "pkg:pypi/click@8.1.7" }, "Version": "8.1.7", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/click-8.1.7.dist-info/METADATA", "Digest": "sha1:5c33361d71534572b6d2d3edd15ac9bad78b59c6" }, { "ID": "colorlog@6.10.1", "Name": "colorlog", "Identifier": { "PURL": "pkg:pypi/colorlog@6.10.1", "UID": "1338895afd9babe", "BOMRef": "pkg:pypi/colorlog@6.10.1" }, "Version": "6.10.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/colorlog-6.10.1.dist-info/METADATA", "Digest": "sha1:1e483d118fd419ad747606c4077726b5c4eb324e" }, { "ID": "cryptography@44.0.1", "Name": "cryptography", "Identifier": { "PURL": "pkg:pypi/cryptography@44.0.1", "UID": "b2f6b22b39d220d0", "BOMRef": "pkg:pypi/cryptography@44.0.1" }, "Version": "44.0.1", "Licenses": [ "Apache-2.0", "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/cryptography-44.0.1.dist-info/METADATA", "Digest": "sha1:aef76b643d459e44dcfef3e674e4b6f562ba0d59" }, { "ID": "ddtrace@2.19.0", "Name": "ddtrace", "Identifier": { "PURL": "pkg:pypi/ddtrace@2.19.0", "UID": "fa760438423a0d4a", "BOMRef": "pkg:pypi/ddtrace@2.19.0" }, "Version": "2.19.0", "Licenses": [ "LICENSE.BSD3" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/ddtrace-2.19.0.dist-info/METADATA", "Digest": "sha1:2ebcd7579775a117bf5f63f482aaee4629f69fe4" }, { "ID": "detect-secrets@1.5.0", "Name": "detect-secrets", "Identifier": { "PURL": "pkg:pypi/detect-secrets@1.5.0", "UID": "164025506f061353", "BOMRef": "pkg:pypi/detect-secrets@1.5.0" }, "Version": "1.5.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/detect_secrets-1.5.0.dist-info/METADATA", "Digest": "sha1:7d1969bbb2f0319f127b480fe77211aa27750fe0" }, { "ID": "distro@1.9.0", "Name": "distro", "Identifier": { "PURL": "pkg:pypi/distro@1.9.0", "UID": "6174a0aca3265ead", "BOMRef": "pkg:pypi/distro@1.9.0" }, "Version": "1.9.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/distro-1.9.0.dist-info/METADATA", "Digest": "sha1:ce14620cf14e15a64d2ff574796543f99619e7f3" }, { "ID": "dnspython@2.8.0", "Name": "dnspython", "Identifier": { "PURL": "pkg:pypi/dnspython@2.8.0", "UID": "b15fdc903e3cbe5f", "BOMRef": "pkg:pypi/dnspython@2.8.0" }, "Version": "2.8.0", "Licenses": [ "ISC" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/dnspython-2.8.0.dist-info/METADATA", "Digest": "sha1:360d6b80b919fa0fc9e41d101229c937531c4eae" }, { "ID": "docstring_parser@0.17.0", "Name": "docstring_parser", "Identifier": { "PURL": "pkg:pypi/docstring-parser@0.17.0", "UID": "1a376078864813b3", "BOMRef": "pkg:pypi/docstring-parser@0.17.0" }, "Version": "0.17.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/docstring_parser-0.17.0.dist-info/METADATA", "Digest": "sha1:323acb9780928a71e223759cfc8be2793bec7072" }, { "ID": "email-validator@2.3.0", "Name": "email-validator", "Identifier": { "PURL": "pkg:pypi/email-validator@2.3.0", "UID": "da74c7cb75b0d0f", "BOMRef": "pkg:pypi/email-validator@2.3.0" }, "Version": "2.3.0", "Licenses": [ "Unlicense" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/email_validator-2.3.0.dist-info/METADATA", "Digest": "sha1:8142c15247202bec284e8950c96b7f43b35ca5bc" }, { "ID": "envier@0.6.1", "Name": "envier", "Identifier": { "PURL": "pkg:pypi/envier@0.6.1", "UID": "97520e32bfb8fc16", "BOMRef": "pkg:pypi/envier@0.6.1" }, "Version": "0.6.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/envier-0.6.1.dist-info/METADATA", "Digest": "sha1:ecb20fe2699b6e8934bacad17926b535edc4ec40" }, { "ID": "fastapi@0.120.1", "Name": "fastapi", "Identifier": { "PURL": "pkg:pypi/fastapi@0.120.1", "UID": "6e1eb6e7937da1ae", "BOMRef": "pkg:pypi/fastapi@0.120.1" }, "Version": "0.120.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/fastapi-0.120.1.dist-info/METADATA", "Digest": "sha1:dea486b90696587ab48cbda958327ec048f93eb3" }, { "ID": "fastapi-sso@0.19.0", "Name": "fastapi-sso", "Identifier": { "PURL": "pkg:pypi/fastapi-sso@0.19.0", "UID": "601db85a124154a4", "BOMRef": "pkg:pypi/fastapi-sso@0.19.0" }, "Version": "0.19.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/fastapi_sso-0.19.0.dist-info/METADATA", "Digest": "sha1:f08f145ee8c7c5c113436e3ba3fb8f1081e8a6fc" }, { "ID": "fastuuid@0.13.5", "Name": "fastuuid", "Identifier": { "PURL": "pkg:pypi/fastuuid@0.13.5", "UID": "af8915d67f460de0", "BOMRef": "pkg:pypi/fastuuid@0.13.5" }, "Version": "0.13.5", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/fastuuid-0.13.5.dist-info/METADATA", "Digest": "sha1:589a21152a88244902586741669f828037c88a4f" }, { "ID": "filelock@3.20.3", "Name": "filelock", "Identifier": { "PURL": "pkg:pypi/filelock@3.20.3", "UID": "9fa8d78a24ddf2c3", "BOMRef": "pkg:pypi/filelock@3.20.3" }, "Version": "3.20.3", "Licenses": [ "Unlicense" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/filelock-3.20.3.dist-info/METADATA", "Digest": "sha1:059d047f0b93d3e1a31f4dec68b60d92a892aca5" }, { "ID": "frozenlist@1.8.0", "Name": "frozenlist", "Identifier": { "PURL": "pkg:pypi/frozenlist@1.8.0", "UID": "8fdbbdace15d3705", "BOMRef": "pkg:pypi/frozenlist@1.8.0" }, "Version": "1.8.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/frozenlist-1.8.0.dist-info/METADATA", "Digest": "sha1:4a37873aab1c5eaffcecd2aa93be12e9e4b2a19c" }, { "ID": "fsspec@2026.1.0", "Name": "fsspec", "Identifier": { "PURL": "pkg:pypi/fsspec@2026.1.0", "UID": "dca71c377fd00b40", "BOMRef": "pkg:pypi/fsspec@2026.1.0" }, "Version": "2026.1.0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/fsspec-2026.1.0.dist-info/METADATA", "Digest": "sha1:2773c1fb51c585f84802ada06ded605800ba9459" }, { "ID": "google-ai-generativelanguage@0.6.1", "Name": "google-ai-generativelanguage", "Identifier": { "PURL": "pkg:pypi/google-ai-generativelanguage@0.6.1", "UID": "e34c12e1f32b372e", "BOMRef": "pkg:pypi/google-ai-generativelanguage@0.6.1" }, "Version": "0.6.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_ai_generativelanguage-0.6.1.dist-info/METADATA", "Digest": "sha1:852470bfafb574582876af8989a9917b99111cef" }, { "ID": "google-api-core@2.29.0", "Name": "google-api-core", "Identifier": { "PURL": "pkg:pypi/google-api-core@2.29.0", "UID": "7c2d41b37f27ef0", "BOMRef": "pkg:pypi/google-api-core@2.29.0" }, "Version": "2.29.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_api_core-2.29.0.dist-info/METADATA", "Digest": "sha1:af9ca366952256ccc0b867dcecbc332949719aa7" }, { "ID": "google-api-python-client@2.188.0", "Name": "google-api-python-client", "Identifier": { "PURL": "pkg:pypi/google-api-python-client@2.188.0", "UID": "21f33b63015a4bd3", "BOMRef": "pkg:pypi/google-api-python-client@2.188.0" }, "Version": "2.188.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_api_python_client-2.188.0.dist-info/METADATA", "Digest": "sha1:5045765ec78b4a127b78d34d17fed920685d3308" }, { "ID": "google-auth@2.47.0", "Name": "google-auth", "Identifier": { "PURL": "pkg:pypi/google-auth@2.47.0", "UID": "aeec413bcf05aa38", "BOMRef": "pkg:pypi/google-auth@2.47.0" }, "Version": "2.47.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_auth-2.47.0.dist-info/METADATA", "Digest": "sha1:9de4891600f82cf8044d168e531faed7a570667b" }, { "ID": "google-auth-httplib2@0.3.0", "Name": "google-auth-httplib2", "Identifier": { "PURL": "pkg:pypi/google-auth-httplib2@0.3.0", "UID": "64408140bdb4a17d", "BOMRef": "pkg:pypi/google-auth-httplib2@0.3.0" }, "Version": "0.3.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_auth_httplib2-0.3.0.dist-info/METADATA", "Digest": "sha1:3af865473cb2ec5ab0e2456a92dc949dabea8097" }, { "ID": "google-cloud-aiplatform@1.47.0", "Name": "google-cloud-aiplatform", "Identifier": { "PURL": "pkg:pypi/google-cloud-aiplatform@1.47.0", "UID": "4eab7949b47e74b", "BOMRef": "pkg:pypi/google-cloud-aiplatform@1.47.0" }, "Version": "1.47.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_aiplatform-1.47.0.dist-info/METADATA", "Digest": "sha1:712eadc2ac0ef64bf34611f40137875de0e97473" }, { "ID": "google-cloud-bigquery@3.40.0", "Name": "google-cloud-bigquery", "Identifier": { "PURL": "pkg:pypi/google-cloud-bigquery@3.40.0", "UID": "2c962680361d08bb", "BOMRef": "pkg:pypi/google-cloud-bigquery@3.40.0" }, "Version": "3.40.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_bigquery-3.40.0.dist-info/METADATA", "Digest": "sha1:d2dfe52cd3b946c33538297e0619fa279fff99ca" }, { "ID": "google-cloud-core@2.5.0", "Name": "google-cloud-core", "Identifier": { "PURL": "pkg:pypi/google-cloud-core@2.5.0", "UID": "9088d35f0276a2e8", "BOMRef": "pkg:pypi/google-cloud-core@2.5.0" }, "Version": "2.5.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_core-2.5.0.dist-info/METADATA", "Digest": "sha1:2353786cf89c5a50fc3a68db6736b632754e1b76" }, { "ID": "google-cloud-iam@2.19.1", "Name": "google-cloud-iam", "Identifier": { "PURL": "pkg:pypi/google-cloud-iam@2.19.1", "UID": "ba5d5f099b05e6dc", "BOMRef": "pkg:pypi/google-cloud-iam@2.19.1" }, "Version": "2.19.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_iam-2.19.1.dist-info/METADATA", "Digest": "sha1:28391d5c4dd89160b13ec2ef8c597d3164c4c91a" }, { "ID": "google-cloud-resource-manager@1.16.0", "Name": "google-cloud-resource-manager", "Identifier": { "PURL": "pkg:pypi/google-cloud-resource-manager@1.16.0", "UID": "9fb9817560d02d5", "BOMRef": "pkg:pypi/google-cloud-resource-manager@1.16.0" }, "Version": "1.16.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_resource_manager-1.16.0.dist-info/METADATA", "Digest": "sha1:94bdb211cfd6933e89c9e8f1833e3fcb28caae26" }, { "ID": "google-cloud-storage@2.19.0", "Name": "google-cloud-storage", "Identifier": { "PURL": "pkg:pypi/google-cloud-storage@2.19.0", "UID": "28c86bab49761ac6", "BOMRef": "pkg:pypi/google-cloud-storage@2.19.0" }, "Version": "2.19.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_cloud_storage-2.19.0.dist-info/METADATA", "Digest": "sha1:bbc32bb8c69728706dd999bfb0124d3ae5652ced" }, { "ID": "google-crc32c@1.8.0", "Name": "google-crc32c", "Identifier": { "PURL": "pkg:pypi/google-crc32c@1.8.0", "UID": "4b57c26fd3661086", "BOMRef": "pkg:pypi/google-crc32c@1.8.0" }, "Version": "1.8.0", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_crc32c-1.8.0.dist-info/METADATA", "Digest": "sha1:740ce2636255b7035fbcef210995df5b4484e1b3" }, { "ID": "google-genai@1.22.0", "Name": "google-genai", "Identifier": { "PURL": "pkg:pypi/google-genai@1.22.0", "UID": "b3bfafeebc3f1bf5", "BOMRef": "pkg:pypi/google-genai@1.22.0" }, "Version": "1.22.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_genai-1.22.0.dist-info/METADATA", "Digest": "sha1:2fe02766d8f70d09d742b87d0fb4e07c0b2f79f6" }, { "ID": "google-generativeai@0.5.0", "Name": "google-generativeai", "Identifier": { "PURL": "pkg:pypi/google-generativeai@0.5.0", "UID": "e6fb968213d32f51", "BOMRef": "pkg:pypi/google-generativeai@0.5.0" }, "Version": "0.5.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_generativeai-0.5.0.dist-info/METADATA", "Digest": "sha1:737cc1ecf8d3c35628cbbe7614b10b70241641a4" }, { "ID": "google-resumable-media@2.8.0", "Name": "google-resumable-media", "Identifier": { "PURL": "pkg:pypi/google-resumable-media@2.8.0", "UID": "f995b69dad0a8d", "BOMRef": "pkg:pypi/google-resumable-media@2.8.0" }, "Version": "2.8.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/google_resumable_media-2.8.0.dist-info/METADATA", "Digest": "sha1:a0a8dc418f86589aa080bb59708ed5aee38faacc" }, { "ID": "googleapis-common-protos@1.72.0", "Name": "googleapis-common-protos", "Identifier": { "PURL": "pkg:pypi/googleapis-common-protos@1.72.0", "UID": "aba9e89aa1225a33", "BOMRef": "pkg:pypi/googleapis-common-protos@1.72.0" }, "Version": "1.72.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/googleapis_common_protos-1.72.0.dist-info/METADATA", "Digest": "sha1:78df7b249d5272b19c5adc5c8a9b3b2dee57311c" }, { "ID": "grpc-google-iam-v1@0.14.3", "Name": "grpc-google-iam-v1", "Identifier": { "PURL": "pkg:pypi/grpc-google-iam-v1@0.14.3", "UID": "d029c5057ada874f", "BOMRef": "pkg:pypi/grpc-google-iam-v1@0.14.3" }, "Version": "0.14.3", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/grpc_google_iam_v1-0.14.3.dist-info/METADATA", "Digest": "sha1:98adc7e2fe504130f48db8ccb34db6820d396145" }, { "ID": "grpcio@1.76.0", "Name": "grpcio", "Identifier": { "PURL": "pkg:pypi/grpcio@1.76.0", "UID": "3d42f77f7efc27c6", "BOMRef": "pkg:pypi/grpcio@1.76.0" }, "Version": "1.76.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/grpcio-1.76.0.dist-info/METADATA", "Digest": "sha1:0c9686200b449c0fa577ab843574fed463a7f590" }, { "ID": "grpcio-status@1.62.3", "Name": "grpcio-status", "Identifier": { "PURL": "pkg:pypi/grpcio-status@1.62.3", "UID": "8167c829b4e91e97", "BOMRef": "pkg:pypi/grpcio-status@1.62.3" }, "Version": "1.62.3", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/grpcio_status-1.62.3.dist-info/METADATA", "Digest": "sha1:0bdfcffdb338040fd7b56e53be4d80d94b24d281" }, { "ID": "gunicorn@23.0.0", "Name": "gunicorn", "Identifier": { "PURL": "pkg:pypi/gunicorn@23.0.0", "UID": "dac1928db2ddbdb6", "BOMRef": "pkg:pypi/gunicorn@23.0.0" }, "Version": "23.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/gunicorn-23.0.0.dist-info/METADATA", "Digest": "sha1:8de2f53497d5444853a1df1f44ff417831194283" }, { "ID": "h11@0.16.0", "Name": "h11", "Identifier": { "PURL": "pkg:pypi/h11@0.16.0", "UID": "967b80c934078caf", "BOMRef": "pkg:pypi/h11@0.16.0" }, "Version": "0.16.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/h11-0.16.0.dist-info/METADATA", "Digest": "sha1:5d41eddffefef5f6e8ff383a2537e81a38a37807" }, { "ID": "hf-xet@1.2.0", "Name": "hf-xet", "Identifier": { "PURL": "pkg:pypi/hf-xet@1.2.0", "UID": "8d3c24c202094c25", "BOMRef": "pkg:pypi/hf-xet@1.2.0" }, "Version": "1.2.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/hf_xet-1.2.0.dist-info/METADATA", "Digest": "sha1:c62213b030017c3a6179d95b00ac0b58fa58b6d8" }, { "ID": "httpcore@1.0.9", "Name": "httpcore", "Identifier": { "PURL": "pkg:pypi/httpcore@1.0.9", "UID": "acb966f0f77ba8b7", "BOMRef": "pkg:pypi/httpcore@1.0.9" }, "Version": "1.0.9", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/httpcore-1.0.9.dist-info/METADATA", "Digest": "sha1:2981d359ae33f31d339189a9680db85785339a56" }, { "ID": "httplib2@0.31.1", "Name": "httplib2", "Identifier": { "PURL": "pkg:pypi/httplib2@0.31.1", "UID": "15360ed1a552f8bc", "BOMRef": "pkg:pypi/httplib2@0.31.1" }, "Version": "0.31.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/httplib2-0.31.1.dist-info/METADATA", "Digest": "sha1:a4dfabc8b4593e9b45f0e77f05fd6e6e9c4bd002" }, { "ID": "httpx@0.28.1", "Name": "httpx", "Identifier": { "PURL": "pkg:pypi/httpx@0.28.1", "UID": "ba8a99940e58f3ee", "BOMRef": "pkg:pypi/httpx@0.28.1" }, "Version": "0.28.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/httpx-0.28.1.dist-info/METADATA", "Digest": "sha1:537da7e4f29438278e124e10e02d1a500fe33bcc" }, { "ID": "httpx-sse@0.4.3", "Name": "httpx-sse", "Identifier": { "PURL": "pkg:pypi/httpx-sse@0.4.3", "UID": "33840787ca6192d5", "BOMRef": "pkg:pypi/httpx-sse@0.4.3" }, "Version": "0.4.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/httpx_sse-0.4.3.dist-info/METADATA", "Digest": "sha1:df05446be58f0a3a306e50c7ceebef24bb383a6d" }, { "ID": "huggingface-hub@0.36.0", "Name": "huggingface-hub", "Identifier": { "PURL": "pkg:pypi/huggingface-hub@0.36.0", "UID": "a796507cb80aa650", "BOMRef": "pkg:pypi/huggingface-hub@0.36.0" }, "Version": "0.36.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/huggingface_hub-0.36.0.dist-info/METADATA", "Digest": "sha1:e8f60430e86290a4c4d15d40982709c114a9b29f" }, { "ID": "idna@3.11", "Name": "idna", "Identifier": { "PURL": "pkg:pypi/idna@3.11", "UID": "a92bf4091acf4ff1", "BOMRef": "pkg:pypi/idna@3.11" }, "Version": "3.11", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/idna-3.11.dist-info/METADATA", "Digest": "sha1:5e73674d19cce0601253436a2e5544abe09b9bc3" }, { "ID": "importlib-metadata@6.8.0", "Name": "importlib-metadata", "Identifier": { "PURL": "pkg:pypi/importlib-metadata@6.8.0", "UID": "fa16596166599526", "BOMRef": "pkg:pypi/importlib-metadata@6.8.0" }, "Version": "6.8.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/importlib_metadata-6.8.0.dist-info/METADATA", "Digest": "sha1:691851957e4c1cce8fa41d0f23cd83355dbb8756" }, { "ID": "isodate@0.7.2", "Name": "isodate", "Identifier": { "PURL": "pkg:pypi/isodate@0.7.2", "UID": "8da378bccea68125", "BOMRef": "pkg:pypi/isodate@0.7.2" }, "Version": "0.7.2", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/isodate-0.7.2.dist-info/METADATA", "Digest": "sha1:364399ca9e27df70628e3aff9c8b7b1da601f95d" }, { "ID": "jiter@0.12.0", "Name": "jiter", "Identifier": { "PURL": "pkg:pypi/jiter@0.12.0", "UID": "5976b68495414fdf", "BOMRef": "pkg:pypi/jiter@0.12.0" }, "Version": "0.12.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jiter-0.12.0.dist-info/METADATA", "Digest": "sha1:4ffc4f49968804ffac9bbb784504e7833b2b1d71" }, { "ID": "jmespath@1.0.1", "Name": "jmespath", "Identifier": { "PURL": "pkg:pypi/jmespath@1.0.1", "UID": "978271d8e8debf10", "BOMRef": "pkg:pypi/jmespath@1.0.1" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jmespath-1.0.1.dist-info/METADATA", "Digest": "sha1:2cdba9ea8aa5fc46cc880b9b2ffc43a81472ea10" }, { "ID": "jsonschema@4.26.0", "Name": "jsonschema", "Identifier": { "PURL": "pkg:pypi/jsonschema@4.26.0", "UID": "f4473419ffed0df7", "BOMRef": "pkg:pypi/jsonschema@4.26.0" }, "Version": "4.26.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jsonschema-4.26.0.dist-info/METADATA", "Digest": "sha1:94b3d1a46cf55d74e42c401eaf4a4b71c76cee31" }, { "ID": "jsonschema-path@0.3.4", "Name": "jsonschema-path", "Identifier": { "PURL": "pkg:pypi/jsonschema-path@0.3.4", "UID": "5fdfb604f128d6d2", "BOMRef": "pkg:pypi/jsonschema-path@0.3.4" }, "Version": "0.3.4", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jsonschema_path-0.3.4.dist-info/METADATA", "Digest": "sha1:48b69894bc45f3344dbe1daa7be14933b12db09a" }, { "ID": "jsonschema-specifications@2025.9.1", "Name": "jsonschema-specifications", "Identifier": { "PURL": "pkg:pypi/jsonschema-specifications@2025.9.1", "UID": "25025d8dbfb89b70", "BOMRef": "pkg:pypi/jsonschema-specifications@2025.9.1" }, "Version": "2025.9.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/jsonschema_specifications-2025.9.1.dist-info/METADATA", "Digest": "sha1:ac33f477be9d3336ae67bc454f68a9ff39c91cf3" }, { "ID": "langfuse@2.59.7", "Name": "langfuse", "Identifier": { "PURL": "pkg:pypi/langfuse@2.59.7", "UID": "45d41d85000235a8", "BOMRef": "pkg:pypi/langfuse@2.59.7" }, "Version": "2.59.7", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/langfuse-2.59.7.dist-info/METADATA", "Digest": "sha1:64b00766ce586ee8bc229e1d1c519bbbaccf82af" }, { "ID": "lazy-object-proxy@1.12.0", "Name": "lazy-object-proxy", "Identifier": { "PURL": "pkg:pypi/lazy-object-proxy@1.12.0", "UID": "579f31196cde6ed9", "BOMRef": "pkg:pypi/lazy-object-proxy@1.12.0" }, "Version": "1.12.0", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/lazy_object_proxy-1.12.0.dist-info/METADATA", "Digest": "sha1:68e349fa87b22a25e3af674e29698bb08d37a074" }, { "ID": "legacy-cgi@2.6.4", "Name": "legacy-cgi", "Identifier": { "PURL": "pkg:pypi/legacy-cgi@2.6.4", "UID": "8cf0f53e2dd9fb4a", "BOMRef": "pkg:pypi/legacy-cgi@2.6.4" }, "Version": "2.6.4", "Licenses": [ "PSF-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/legacy_cgi-2.6.4.dist-info/METADATA", "Digest": "sha1:23159c15d8f7c3223df17c75f23eb2d59ef58128" }, { "ID": "litellm@1.80.15", "Name": "litellm", "Identifier": { "PURL": "pkg:pypi/litellm@1.80.15", "UID": "5e02ef4e816b42f8", "BOMRef": "pkg:pypi/litellm@1.80.15" }, "Version": "1.80.15", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/litellm-1.80.15.dist-info/METADATA", "Digest": "sha1:fdf6fabf2dae519031a4730318534335f04d06af" }, { "ID": "litellm-enterprise@0.1.27", "Name": "litellm-enterprise", "Identifier": { "PURL": "pkg:pypi/litellm-enterprise@0.1.27", "UID": "bbb1585930f8eb65", "BOMRef": "pkg:pypi/litellm-enterprise@0.1.27" }, "Version": "0.1.27", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/litellm_enterprise-0.1.27.dist-info/METADATA", "Digest": "sha1:482b8480ce46b7db3ce3ce479fe754f58b380c5e" }, { "ID": "litellm-proxy-extras@0.4.21", "Name": "litellm-proxy-extras", "Identifier": { "PURL": "pkg:pypi/litellm-proxy-extras@0.4.21", "UID": "620e8552c2e383c6", "BOMRef": "pkg:pypi/litellm-proxy-extras@0.4.21" }, "Version": "0.4.21", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/litellm_proxy_extras-0.4.21.dist-info/METADATA", "Digest": "sha1:47106f629934f65c52a450a2f4e96ff6bad72c0d" }, { "ID": "llm-sandbox@0.3.31", "Name": "llm-sandbox", "Identifier": { "PURL": "pkg:pypi/llm-sandbox@0.3.31", "UID": "f96be4d34f317a6d", "BOMRef": "pkg:pypi/llm-sandbox@0.3.31" }, "Version": "0.3.31", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/llm_sandbox-0.3.31.dist-info/METADATA", "Digest": "sha1:85bb0474aad9559dff054282fdd4b29a4f92a80e" }, { "ID": "mangum@0.17.0", "Name": "mangum", "Identifier": { "PURL": "pkg:pypi/mangum@0.17.0", "UID": "3a2fe61fbcff04c9", "BOMRef": "pkg:pypi/mangum@0.17.0" }, "Version": "0.17.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/mangum-0.17.0.dist-info/METADATA", "Digest": "sha1:0957be909988180dffafaf9c6ef2301be9a0739b" }, { "ID": "markdown-it-py@4.0.0", "Name": "markdown-it-py", "Identifier": { "PURL": "pkg:pypi/markdown-it-py@4.0.0", "UID": "fd6df85c5d020eee", "BOMRef": "pkg:pypi/markdown-it-py@4.0.0" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/markdown_it_py-4.0.0.dist-info/METADATA", "Digest": "sha1:0cee543cadd1bdc67e8d1acd6fae8cc419523f4c" }, { "ID": "mcp@1.25.0", "Name": "mcp", "Identifier": { "PURL": "pkg:pypi/mcp@1.25.0", "UID": "14f480efac7e2a55", "BOMRef": "pkg:pypi/mcp@1.25.0" }, "Version": "1.25.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/mcp-1.25.0.dist-info/METADATA", "Digest": "sha1:c86fd9fb3b07f6b9cb4a3ade6abcc16c1c763399" }, { "ID": "mdurl@0.1.2", "Name": "mdurl", "Identifier": { "PURL": "pkg:pypi/mdurl@0.1.2", "UID": "82892c57cb20dc4d", "BOMRef": "pkg:pypi/mdurl@0.1.2" }, "Version": "0.1.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/mdurl-0.1.2.dist-info/METADATA", "Digest": "sha1:cc9d84bf84be59dd90368ea2f5e3a9fae8f0f1b7" }, { "ID": "more-itertools@10.8.0", "Name": "more-itertools", "Identifier": { "PURL": "pkg:pypi/more-itertools@10.8.0", "UID": "4021f093e9aa953a", "BOMRef": "pkg:pypi/more-itertools@10.8.0" }, "Version": "10.8.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/more_itertools-10.8.0.dist-info/METADATA", "Digest": "sha1:55aef894a0f39f280471306f0c5ecf3730ff5863" }, { "ID": "msal@1.34.0", "Name": "msal", "Identifier": { "PURL": "pkg:pypi/msal@1.34.0", "UID": "1b6a0260330c9ae5", "BOMRef": "pkg:pypi/msal@1.34.0" }, "Version": "1.34.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/msal-1.34.0.dist-info/METADATA", "Digest": "sha1:9992cd494a1c8486b1a65e94cb1998d2ef320093" }, { "ID": "msal-extensions@1.3.1", "Name": "msal-extensions", "Identifier": { "PURL": "pkg:pypi/msal-extensions@1.3.1", "UID": "72052a9793621434", "BOMRef": "pkg:pypi/msal-extensions@1.3.1" }, "Version": "1.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/msal_extensions-1.3.1.dist-info/METADATA", "Digest": "sha1:41015e491016a80539109491a22adb22f7c7dddd" }, { "ID": "multidict@6.7.0", "Name": "multidict", "Identifier": { "PURL": "pkg:pypi/multidict@6.7.0", "UID": "627b293837589855", "BOMRef": "pkg:pypi/multidict@6.7.0" }, "Version": "6.7.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/multidict-6.7.0.dist-info/METADATA", "Digest": "sha1:a712fee376224f658b18bbbd255b47b4fad3e126" }, { "ID": "nodeenv@1.10.0", "Name": "nodeenv", "Identifier": { "PURL": "pkg:pypi/nodeenv@1.10.0", "UID": "49864ea383b835c7", "BOMRef": "pkg:pypi/nodeenv@1.10.0" }, "Version": "1.10.0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodeenv-1.10.0.dist-info/METADATA", "Digest": "sha1:1b29a746e209117735cc705714358dbf9e858eb4" }, { "ID": "nodejs-wheel-binaries@24.12.0", "Name": "nodejs-wheel-binaries", "Identifier": { "PURL": "pkg:pypi/nodejs-wheel-binaries@24.12.0", "UID": "a6435e9ef9265e01", "BOMRef": "pkg:pypi/nodejs-wheel-binaries@24.12.0" }, "Version": "24.12.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/nodejs_wheel_binaries-24.12.0.dist-info/METADATA", "Digest": "sha1:8a102cd330d17e7e42361b3326da94281c9b8427" }, { "ID": "numpy@2.4.1", "Name": "numpy", "Identifier": { "PURL": "pkg:pypi/numpy@2.4.1", "UID": "7ff9d506de32e605", "BOMRef": "pkg:pypi/numpy@2.4.1" }, "Version": "2.4.1", "Licenses": [ "BSD-3-Clause AND 0BSD AND MIT AND Zlib AND CC0-1.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/numpy-2.4.1.dist-info/METADATA", "Digest": "sha1:063ee7592334a882dda9b02ca6981115801d06ff" }, { "ID": "oauthlib@3.3.1", "Name": "oauthlib", "Identifier": { "PURL": "pkg:pypi/oauthlib@3.3.1", "UID": "bf3efd5a6965ba6c", "BOMRef": "pkg:pypi/oauthlib@3.3.1" }, "Version": "3.3.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/oauthlib-3.3.1.dist-info/METADATA", "Digest": "sha1:9ba5229bceb66742065501d44c4e07f8b401d4c8" }, { "ID": "openai@2.9.0", "Name": "openai", "Identifier": { "PURL": "pkg:pypi/openai@2.9.0", "UID": "2372eb06ec894436", "BOMRef": "pkg:pypi/openai@2.9.0" }, "Version": "2.9.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/openai-2.9.0.dist-info/METADATA", "Digest": "sha1:3a50a52d05f9d1a9114c73731816df78928764c0" }, { "ID": "openapi-core@0.21.0", "Name": "openapi-core", "Identifier": { "PURL": "pkg:pypi/openapi-core@0.21.0", "UID": "426e1541dddfe9e6", "BOMRef": "pkg:pypi/openapi-core@0.21.0" }, "Version": "0.21.0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/openapi_core-0.21.0.dist-info/METADATA", "Digest": "sha1:23d2501e93de078ce5136cd7b4e20a7463c210f4" }, { "ID": "openapi-schema-validator@0.6.3", "Name": "openapi-schema-validator", "Identifier": { "PURL": "pkg:pypi/openapi-schema-validator@0.6.3", "UID": "cfd3a13998829ad1", "BOMRef": "pkg:pypi/openapi-schema-validator@0.6.3" }, "Version": "0.6.3", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/openapi_schema_validator-0.6.3.dist-info/METADATA", "Digest": "sha1:94ac2dfdccefaac1f8f6efc0ce4e4713274af79f" }, { "ID": "openapi-spec-validator@0.7.2", "Name": "openapi-spec-validator", "Identifier": { "PURL": "pkg:pypi/openapi-spec-validator@0.7.2", "UID": "d9ecb2fed3f9aa3b", "BOMRef": "pkg:pypi/openapi-spec-validator@0.7.2" }, "Version": "0.7.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/openapi_spec_validator-0.7.2.dist-info/METADATA", "Digest": "sha1:3b8226cdb965b31b940c1bfaba9d0b337cc0c8f8" }, { "ID": "opentelemetry-api@1.25.0", "Name": "opentelemetry-api", "Identifier": { "PURL": "pkg:pypi/opentelemetry-api@1.25.0", "UID": "786d17a28d1507bd", "BOMRef": "pkg:pypi/opentelemetry-api@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_api-1.25.0.dist-info/METADATA", "Digest": "sha1:cce31e3e685539bd1e0009b8edcdfb8a3d1cbb29" }, { "ID": "opentelemetry-exporter-otlp@1.25.0", "Name": "opentelemetry-exporter-otlp", "Identifier": { "PURL": "pkg:pypi/opentelemetry-exporter-otlp@1.25.0", "UID": "66b106431121e7d2", "BOMRef": "pkg:pypi/opentelemetry-exporter-otlp@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_exporter_otlp-1.25.0.dist-info/METADATA", "Digest": "sha1:dc4cb896617d3921e5d19247eac5f0e9eed252a0" }, { "ID": "opentelemetry-exporter-otlp-proto-common@1.25.0", "Name": "opentelemetry-exporter-otlp-proto-common", "Identifier": { "PURL": "pkg:pypi/opentelemetry-exporter-otlp-proto-common@1.25.0", "UID": "8b8b9dc485801626", "BOMRef": "pkg:pypi/opentelemetry-exporter-otlp-proto-common@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_exporter_otlp_proto_common-1.25.0.dist-info/METADATA", "Digest": "sha1:28480f0632328a6b103dc16fd3edd93fd2ea1c4c" }, { "ID": "opentelemetry-exporter-otlp-proto-grpc@1.25.0", "Name": "opentelemetry-exporter-otlp-proto-grpc", "Identifier": { "PURL": "pkg:pypi/opentelemetry-exporter-otlp-proto-grpc@1.25.0", "UID": "d174f5a097e552ee", "BOMRef": "pkg:pypi/opentelemetry-exporter-otlp-proto-grpc@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_exporter_otlp_proto_grpc-1.25.0.dist-info/METADATA", "Digest": "sha1:bfadca80901628889c060bfd5a0c5a669825991c" }, { "ID": "opentelemetry-exporter-otlp-proto-http@1.25.0", "Name": "opentelemetry-exporter-otlp-proto-http", "Identifier": { "PURL": "pkg:pypi/opentelemetry-exporter-otlp-proto-http@1.25.0", "UID": "17aedec7e443f9d2", "BOMRef": "pkg:pypi/opentelemetry-exporter-otlp-proto-http@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_exporter_otlp_proto_http-1.25.0.dist-info/METADATA", "Digest": "sha1:922cee3a37f0e2ef2d3742967a8a92ae34d643b1" }, { "ID": "opentelemetry-proto@1.25.0", "Name": "opentelemetry-proto", "Identifier": { "PURL": "pkg:pypi/opentelemetry-proto@1.25.0", "UID": "30f84c67c6dee887", "BOMRef": "pkg:pypi/opentelemetry-proto@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_proto-1.25.0.dist-info/METADATA", "Digest": "sha1:bafd93278805457b33b128c28a92a4e906756579" }, { "ID": "opentelemetry-sdk@1.25.0", "Name": "opentelemetry-sdk", "Identifier": { "PURL": "pkg:pypi/opentelemetry-sdk@1.25.0", "UID": "686ef13155f7e04c", "BOMRef": "pkg:pypi/opentelemetry-sdk@1.25.0" }, "Version": "1.25.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_sdk-1.25.0.dist-info/METADATA", "Digest": "sha1:396631cca0acdbfb84b81863c28804bebf878cfd" }, { "ID": "opentelemetry-semantic-conventions@0.46b0", "Name": "opentelemetry-semantic-conventions", "Identifier": { "PURL": "pkg:pypi/opentelemetry-semantic-conventions@0.46b0", "UID": "a9fe95fda5a79d9f", "BOMRef": "pkg:pypi/opentelemetry-semantic-conventions@0.46b0" }, "Version": "0.46b0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/opentelemetry_semantic_conventions-0.46b0.dist-info/METADATA", "Digest": "sha1:38b379c0a10639ad0cf8030b0de5e27f70950535" }, { "ID": "orjson@3.11.2", "Name": "orjson", "Identifier": { "PURL": "pkg:pypi/orjson@3.11.2", "UID": "ea6affccb9564162", "BOMRef": "pkg:pypi/orjson@3.11.2" }, "Version": "3.11.2", "Licenses": [ "Apache-2.0", "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/orjson-3.11.2.dist-info/METADATA", "Digest": "sha1:3ebc8fb8aad9e39b0e3069445ed93a000af1c9a8" }, { "ID": "packaging@24.2", "Name": "packaging", "Identifier": { "PURL": "pkg:pypi/packaging@24.2", "UID": "ad5c7cdbdd484e5f", "BOMRef": "pkg:pypi/packaging@24.2" }, "Version": "24.2", "Licenses": [ "Apache-2.0", "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/packaging-24.2.dist-info/METADATA", "Digest": "sha1:292b8d19cdc308e072817b6407cac3cb5175a060" }, { "ID": "pathable@0.4.4", "Name": "pathable", "Identifier": { "PURL": "pkg:pypi/pathable@0.4.4", "UID": "3387dd1fce34eaa", "BOMRef": "pkg:pypi/pathable@0.4.4" }, "Version": "0.4.4", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pathable-0.4.4.dist-info/METADATA", "Digest": "sha1:866e61605d29a563f1cdd110899065ddb5f2f482" }, { "ID": "pillow@11.0.0", "Name": "pillow", "Identifier": { "PURL": "pkg:pypi/pillow@11.0.0", "UID": "36fd427c3e790091", "BOMRef": "pkg:pypi/pillow@11.0.0" }, "Version": "11.0.0", "Licenses": [ "CMU License (MIT-CMU)" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pillow-11.0.0.dist-info/METADATA", "Digest": "sha1:e4bd88e655b298ea8862420833c05b430e6c32a8" }, { "ID": "polars@1.31.0", "Name": "polars", "Identifier": { "PURL": "pkg:pypi/polars@1.31.0", "UID": "a06c7dc62e3b2c7b", "BOMRef": "pkg:pypi/polars@1.31.0" }, "Version": "1.31.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/polars-1.31.0.dist-info/METADATA", "Digest": "sha1:9372c8d51ed35260721b244d0f1432df652171cf" }, { "ID": "prisma@0.11.0", "Name": "prisma", "Identifier": { "PURL": "pkg:pypi/prisma@0.11.0", "UID": "6405a9a334f3e7c5", "BOMRef": "pkg:pypi/prisma@0.11.0" }, "Version": "0.11.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/prisma-0.11.0.dist-info/METADATA", "Digest": "sha1:fad8c94f4fab264e96c18a22151e04c0cdf411b0" }, { "ID": "prometheus_client@0.20.0", "Name": "prometheus_client", "Identifier": { "PURL": "pkg:pypi/prometheus-client@0.20.0", "UID": "b6b3e7e71a3e2f6e", "BOMRef": "pkg:pypi/prometheus-client@0.20.0" }, "Version": "0.20.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/prometheus_client-0.20.0.dist-info/METADATA", "Digest": "sha1:ca9ab1f552aae8ed12e1084fd9c8347782cb1049" }, { "ID": "propcache@0.4.1", "Name": "propcache", "Identifier": { "PURL": "pkg:pypi/propcache@0.4.1", "UID": "80d5fde11d355f44", "BOMRef": "pkg:pypi/propcache@0.4.1" }, "Version": "0.4.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/propcache-0.4.1.dist-info/METADATA", "Digest": "sha1:9b2af7eeab4bcb9bad4ba6d407baa00869b8168c" }, { "ID": "proto-plus@1.27.0", "Name": "proto-plus", "Identifier": { "PURL": "pkg:pypi/proto-plus@1.27.0", "UID": "bbcfaf6400035040", "BOMRef": "pkg:pypi/proto-plus@1.27.0" }, "Version": "1.27.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/proto_plus-1.27.0.dist-info/METADATA", "Digest": "sha1:e41017fc21f9d1ed84f4976c10805ec1cc5bc3b1" }, { "ID": "protobuf@4.25.8", "Name": "protobuf", "Identifier": { "PURL": "pkg:pypi/protobuf@4.25.8", "UID": "bc81518b197f0898", "BOMRef": "pkg:pypi/protobuf@4.25.8" }, "Version": "4.25.8", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/protobuf-4.25.8.dist-info/METADATA", "Digest": "sha1:7d698df5e1671965319f48c7a4a37b589713719e" }, { "ID": "pyasn1@0.6.2", "Name": "pyasn1", "Identifier": { "PURL": "pkg:pypi/pyasn1@0.6.2", "UID": "d1b951d709ff6e13", "BOMRef": "pkg:pypi/pyasn1@0.6.2" }, "Version": "0.6.2", "Licenses": [ "BSD-2-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pyasn1-0.6.2.dist-info/METADATA", "Digest": "sha1:9e49d4b851f49962151f61b10a5d9c65e5b8eade" }, { "ID": "pyasn1_modules@0.4.2", "Name": "pyasn1_modules", "Identifier": { "PURL": "pkg:pypi/pyasn1-modules@0.4.2", "UID": "5450bc828ad90401", "BOMRef": "pkg:pypi/pyasn1-modules@0.4.2" }, "Version": "0.4.2", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pyasn1_modules-0.4.2.dist-info/METADATA", "Digest": "sha1:ff67c376a06e456e4caa8a256505a2298f5e7141" }, { "ID": "pycparser@2.23", "Name": "pycparser", "Identifier": { "PURL": "pkg:pypi/pycparser@2.23", "UID": "e97656e0344b40c7", "BOMRef": "pkg:pypi/pycparser@2.23" }, "Version": "2.23", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pycparser-2.23.dist-info/METADATA", "Digest": "sha1:b0bbc8ab179664a4ef902967de2ba40fbd5e93ae" }, { "ID": "pydantic@2.12.5", "Name": "pydantic", "Identifier": { "PURL": "pkg:pypi/pydantic@2.12.5", "UID": "f44006c4889d064", "BOMRef": "pkg:pypi/pydantic@2.12.5" }, "Version": "2.12.5", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pydantic-2.12.5.dist-info/METADATA", "Digest": "sha1:83683052da3c86191d3ce41d60fa7f9780cf0478" }, { "ID": "pydantic-settings@2.12.0", "Name": "pydantic-settings", "Identifier": { "PURL": "pkg:pypi/pydantic-settings@2.12.0", "UID": "358ab5d637d9e6b5", "BOMRef": "pkg:pypi/pydantic-settings@2.12.0" }, "Version": "2.12.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pydantic_settings-2.12.0.dist-info/METADATA", "Digest": "sha1:ba04c497953381f175356d81ca3aed5353a74ffe" }, { "ID": "pydantic_core@2.41.5", "Name": "pydantic_core", "Identifier": { "PURL": "pkg:pypi/pydantic-core@2.41.5", "UID": "b520d4ecd5a8adb7", "BOMRef": "pkg:pypi/pydantic-core@2.41.5" }, "Version": "2.41.5", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pydantic_core-2.41.5.dist-info/METADATA", "Digest": "sha1:07d49fc75e0fd822fcc2719c0bbece0049fba67a" }, { "ID": "pyparsing@3.3.1", "Name": "pyparsing", "Identifier": { "PURL": "pkg:pypi/pyparsing@3.3.1", "UID": "e6f9ad82747925e4", "BOMRef": "pkg:pypi/pyparsing@3.3.1" }, "Version": "3.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pyparsing-3.3.1.dist-info/METADATA", "Digest": "sha1:d6ec995575ce4a2ef06a1900f09320c4bb57d7c2" }, { "ID": "python-dateutil@2.9.0.post0", "Name": "python-dateutil", "Identifier": { "PURL": "pkg:pypi/python-dateutil@2.9.0.post0", "UID": "7f7128236a9e7c3c", "BOMRef": "pkg:pypi/python-dateutil@2.9.0.post0" }, "Version": "2.9.0.post0", "Licenses": [ "BSD-3-Clause", "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/python_dateutil-2.9.0.post0.dist-info/METADATA", "Digest": "sha1:7a3c35abd86cd96034d5afb0d4b241dc9e13e6f8" }, { "ID": "python-dotenv@1.0.1", "Name": "python-dotenv", "Identifier": { "PURL": "pkg:pypi/python-dotenv@1.0.1", "UID": "48c85e7bde2305cb", "BOMRef": "pkg:pypi/python-dotenv@1.0.1" }, "Version": "1.0.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/python_dotenv-1.0.1.dist-info/METADATA", "Digest": "sha1:e0a2e23c662b53538eed76a837fb7ecc9327df7e" }, { "ID": "python-multipart@0.0.18", "Name": "python-multipart", "Identifier": { "PURL": "pkg:pypi/python-multipart@0.0.18", "UID": "cba16e9ef8993539", "BOMRef": "pkg:pypi/python-multipart@0.0.18" }, "Version": "0.0.18", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/python_multipart-0.0.18.dist-info/METADATA", "Digest": "sha1:d63285470f06ba1a434873d592ce32d06e0b9eac" }, { "ID": "pytz@2025.2", "Name": "pytz", "Identifier": { "PURL": "pkg:pypi/pytz@2025.2", "UID": "f5a2bc4b56eee3bd", "BOMRef": "pkg:pypi/pytz@2025.2" }, "Version": "2025.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/pytz-2025.2.dist-info/METADATA", "Digest": "sha1:db28b063c13ef94fa0f89b36bdc6d66776fe5bd5" }, { "ID": "redis@5.2.1", "Name": "redis", "Identifier": { "PURL": "pkg:pypi/redis@5.2.1", "UID": "a268cb4b715d62f1", "BOMRef": "pkg:pypi/redis@5.2.1" }, "Version": "5.2.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/redis-5.2.1.dist-info/METADATA", "Digest": "sha1:27194d5ec4e7a9cda79f44d14513c056aff7d483" }, { "ID": "referencing@0.36.2", "Name": "referencing", "Identifier": { "PURL": "pkg:pypi/referencing@0.36.2", "UID": "6d8b78d5319d04c3", "BOMRef": "pkg:pypi/referencing@0.36.2" }, "Version": "0.36.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/referencing-0.36.2.dist-info/METADATA", "Digest": "sha1:cf1208e207b8130e0abf63be5c1dac8598fb4049" }, { "ID": "regex@2026.1.15", "Name": "regex", "Identifier": { "PURL": "pkg:pypi/regex@2026.1.15", "UID": "137654c3f126eeb4", "BOMRef": "pkg:pypi/regex@2026.1.15" }, "Version": "2026.1.15", "Licenses": [ "Apache-2.0 AND CNRI-Python" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/regex-2026.1.15.dist-info/METADATA", "Digest": "sha1:e600d879b2f5d27130a57d94ce05664a56098705" }, { "ID": "requests@2.32.5", "Name": "requests", "Identifier": { "PURL": "pkg:pypi/requests@2.32.5", "UID": "f995aa66547e2f44", "BOMRef": "pkg:pypi/requests@2.32.5" }, "Version": "2.32.5", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/requests-2.32.5.dist-info/METADATA", "Digest": "sha1:ca17920e69f3c7103322151275139cf487e4da08" }, { "ID": "requests-toolbelt@1.0.0", "Name": "requests-toolbelt", "Identifier": { "PURL": "pkg:pypi/requests-toolbelt@1.0.0", "UID": "d56fde8e56750771", "BOMRef": "pkg:pypi/requests-toolbelt@1.0.0" }, "Version": "1.0.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/requests_toolbelt-1.0.0.dist-info/METADATA", "Digest": "sha1:171fbbc84e8b7216e237b702f3fda539ffb1e487" }, { "ID": "rfc3339-validator@0.1.4", "Name": "rfc3339-validator", "Identifier": { "PURL": "pkg:pypi/rfc3339-validator@0.1.4", "UID": "a9a80bb5fa832166", "BOMRef": "pkg:pypi/rfc3339-validator@0.1.4" }, "Version": "0.1.4", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/rfc3339_validator-0.1.4.dist-info/METADATA", "Digest": "sha1:b8cc2c804bf4cb64b4573a802305f3d0dc7e9a91" }, { "ID": "rich@13.7.1", "Name": "rich", "Identifier": { "PURL": "pkg:pypi/rich@13.7.1", "UID": "e42d6cac59774fbf", "BOMRef": "pkg:pypi/rich@13.7.1" }, "Version": "13.7.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/rich-13.7.1.dist-info/METADATA", "Digest": "sha1:bf3cca748ddf06213ddb6911d0b2d437f202533b" }, { "ID": "rpds-py@0.30.0", "Name": "rpds-py", "Identifier": { "PURL": "pkg:pypi/rpds-py@0.30.0", "UID": "561773822a605248", "BOMRef": "pkg:pypi/rpds-py@0.30.0" }, "Version": "0.30.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/rpds_py-0.30.0.dist-info/METADATA", "Digest": "sha1:9eef46c842a0ca6229680d7bfc1272958efdcc5a" }, { "ID": "rsa@4.9.1", "Name": "rsa", "Identifier": { "PURL": "pkg:pypi/rsa@4.9.1", "UID": "44b4350b7489ee6a", "BOMRef": "pkg:pypi/rsa@4.9.1" }, "Version": "4.9.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/rsa-4.9.1.dist-info/METADATA", "Digest": "sha1:a2f68fc042a03952873edfefafda03c04787a56f" }, { "ID": "s3transfer@0.11.3", "Name": "s3transfer", "Identifier": { "PURL": "pkg:pypi/s3transfer@0.11.3", "UID": "d0a9741c5c4bb8c4", "BOMRef": "pkg:pypi/s3transfer@0.11.3" }, "Version": "0.11.3", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/s3transfer-0.11.3.dist-info/METADATA", "Digest": "sha1:9317099a7678a5839e37ca7f8351d64abf8cefb9" }, { "ID": "semantic-router@0.1.11", "Name": "semantic-router", "Identifier": { "PURL": "pkg:pypi/semantic-router@0.1.11", "UID": "2102a5237c23bc66", "BOMRef": "pkg:pypi/semantic-router@0.1.11" }, "Version": "0.1.11", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/semantic_router-0.1.11.dist-info/METADATA", "Digest": "sha1:7de93f4f62c6d698a4693fb0c0380fdf2d9456a3" }, { "ID": "sentry-sdk@2.21.0", "Name": "sentry-sdk", "Identifier": { "PURL": "pkg:pypi/sentry-sdk@2.21.0", "UID": "c641c57dbef8e13b", "BOMRef": "pkg:pypi/sentry-sdk@2.21.0" }, "Version": "2.21.0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/sentry_sdk-2.21.0.dist-info/METADATA", "Digest": "sha1:5af3250fb5606b6a97f62d83513d6010a0d3954f" }, { "ID": "shapely@2.1.2", "Name": "shapely", "Identifier": { "PURL": "pkg:pypi/shapely@2.1.2", "UID": "d2b32558eeb43d26", "BOMRef": "pkg:pypi/shapely@2.1.2" }, "Version": "2.1.2", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/shapely-2.1.2.dist-info/METADATA", "Digest": "sha1:46877dc74bca71bbb7cd2207c0c3683001f23904" }, { "ID": "six@1.17.0", "Name": "six", "Identifier": { "PURL": "pkg:pypi/six@1.17.0", "UID": "a45a4b3204352bd6", "BOMRef": "pkg:pypi/six@1.17.0" }, "Version": "1.17.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/six-1.17.0.dist-info/METADATA", "Digest": "sha1:483a26554261f6c839703c0e1183f3ef33ff97f1" }, { "ID": "sniffio@1.3.1", "Name": "sniffio", "Identifier": { "PURL": "pkg:pypi/sniffio@1.3.1", "UID": "b20c44321a36e061", "BOMRef": "pkg:pypi/sniffio@1.3.1" }, "Version": "1.3.1", "Licenses": [ "MIT", "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/sniffio-1.3.1.dist-info/METADATA", "Digest": "sha1:bc1d7aead770fe23c8d22666b84558edb3686da3" }, { "ID": "soundfile@0.12.1", "Name": "soundfile", "Identifier": { "PURL": "pkg:pypi/soundfile@0.12.1", "UID": "473c6f149cefce4e", "BOMRef": "pkg:pypi/soundfile@0.12.1" }, "Version": "0.12.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/soundfile-0.12.1.dist-info/METADATA", "Digest": "sha1:b5ce3ad2ef849be1c4195d05ca730e0f7905e90b" }, { "ID": "sse-starlette@3.2.0", "Name": "sse-starlette", "Identifier": { "PURL": "pkg:pypi/sse-starlette@3.2.0", "UID": "44cd1a70dc3fccee", "BOMRef": "pkg:pypi/sse-starlette@3.2.0" }, "Version": "3.2.0", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/sse_starlette-3.2.0.dist-info/METADATA", "Digest": "sha1:8a6175cd01d1e84f937287b9a9b0879cda2952f8" }, { "ID": "starlette@0.49.1", "Name": "starlette", "Identifier": { "PURL": "pkg:pypi/starlette@0.49.1", "UID": "7ef4afeec91a660d", "BOMRef": "pkg:pypi/starlette@0.49.1" }, "Version": "0.49.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/starlette-0.49.1.dist-info/METADATA", "Digest": "sha1:d2dc5927de72d847252d292615f15065928238dc" }, { "ID": "tenacity@8.5.0", "Name": "tenacity", "Identifier": { "PURL": "pkg:pypi/tenacity@8.5.0", "UID": "f64c031a2488fdd4", "BOMRef": "pkg:pypi/tenacity@8.5.0" }, "Version": "8.5.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tenacity-8.5.0.dist-info/METADATA", "Digest": "sha1:67c962294c30afecad8066ac633a11bd658c5148" }, { "ID": "tiktoken@0.8.0", "Name": "tiktoken", "Identifier": { "PURL": "pkg:pypi/tiktoken@0.8.0", "UID": "b100837e35f9d1e0", "BOMRef": "pkg:pypi/tiktoken@0.8.0" }, "Version": "0.8.0", "Licenses": [ "MIT License Copyright (c) 2022 OpenAI, Shantanu Jain Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tiktoken-0.8.0.dist-info/METADATA", "Digest": "sha1:9d84201eb7fb511e2757fbd00150263ff31577b8" }, { "ID": "tokenizers@0.20.2", "Name": "tokenizers", "Identifier": { "PURL": "pkg:pypi/tokenizers@0.20.2", "UID": "35a896b898112b2", "BOMRef": "pkg:pypi/tokenizers@0.20.2" }, "Version": "0.20.2", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tokenizers-0.20.2.dist-info/METADATA", "Digest": "sha1:86c509fc1d122a9bba1c089e9d38ddd1c56d64cd" }, { "ID": "tomlkit@0.14.0", "Name": "tomlkit", "Identifier": { "PURL": "pkg:pypi/tomlkit@0.14.0", "UID": "61d4cc1c763cc595", "BOMRef": "pkg:pypi/tomlkit@0.14.0" }, "Version": "0.14.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tomlkit-0.14.0.dist-info/METADATA", "Digest": "sha1:7887d40449d9684788cfb76faacc540c0769cac8" }, { "ID": "tornado@6.5.4", "Name": "tornado", "Identifier": { "PURL": "pkg:pypi/tornado@6.5.4", "UID": "2781bc31fadeaaa9", "BOMRef": "pkg:pypi/tornado@6.5.4" }, "Version": "6.5.4", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "FilePath": "usr/lib/python3.13/site-packages/tornado-6.5.4.dist-info/METADATA", "Digest": "sha1:a1e2393e5aa6c6bd7c26bfb9b68a31771d14a790" }, { "ID": "tqdm@4.67.1", "Name": "tqdm", "Identifier": { "PURL": "pkg:pypi/tqdm@4.67.1", "UID": "685392e3fe2716ec", "BOMRef": "pkg:pypi/tqdm@4.67.1" }, "Version": "4.67.1", "Licenses": [ "MIT", "MPL-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tqdm-4.67.1.dist-info/METADATA", "Digest": "sha1:13fdc62748a0d682db11ab8d825b764849c7ffa4" }, { "ID": "typing-inspection@0.4.2", "Name": "typing-inspection", "Identifier": { "PURL": "pkg:pypi/typing-inspection@0.4.2", "UID": "e246819d67f56a1d", "BOMRef": "pkg:pypi/typing-inspection@0.4.2" }, "Version": "0.4.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/typing_inspection-0.4.2.dist-info/METADATA", "Digest": "sha1:455fdb9c8e246ba02c2a28655287401b62028b60" }, { "ID": "typing_extensions@4.15.0", "Name": "typing_extensions", "Identifier": { "PURL": "pkg:pypi/typing-extensions@4.15.0", "UID": "6942b9d2f7a4c9d4", "BOMRef": "pkg:pypi/typing-extensions@4.15.0" }, "Version": "4.15.0", "Licenses": [ "PSF-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/typing_extensions-4.15.0.dist-info/METADATA", "Digest": "sha1:c5c2ce18351f8f2ae0f4a6f7c84c523f342010ee" }, { "ID": "tzdata@2025.1", "Name": "tzdata", "Identifier": { "PURL": "pkg:pypi/tzdata@2025.1", "UID": "8ba186fe820cbcd", "BOMRef": "pkg:pypi/tzdata@2025.1" }, "Version": "2025.1", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tzdata-2025.1.dist-info/METADATA", "Digest": "sha1:6e57a2a6ed74712dd41842370b1c12bb8446d4b1" }, { "ID": "tzlocal@5.3.1", "Name": "tzlocal", "Identifier": { "PURL": "pkg:pypi/tzlocal@5.3.1", "UID": "2335662b2564f903", "BOMRef": "pkg:pypi/tzlocal@5.3.1" }, "Version": "5.3.1", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/tzlocal-5.3.1.dist-info/METADATA", "Digest": "sha1:fa463c4a745ae9f56544484fb7724eb107786eb4" }, { "ID": "uritemplate@4.2.0", "Name": "uritemplate", "Identifier": { "PURL": "pkg:pypi/uritemplate@4.2.0", "UID": "b1dab68640e54a29", "BOMRef": "pkg:pypi/uritemplate@4.2.0" }, "Version": "4.2.0", "Licenses": [ "BSD-3-Clause OR Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/uritemplate-4.2.0.dist-info/METADATA", "Digest": "sha1:23d93a7467b14d86e4541df8324cca8633544964" }, { "ID": "urllib3@2.6.3", "Name": "urllib3", "Identifier": { "PURL": "pkg:pypi/urllib3@2.6.3", "UID": "3c022e62c4b9e3f9", "BOMRef": "pkg:pypi/urllib3@2.6.3" }, "Version": "2.6.3", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/urllib3-2.6.3.dist-info/METADATA", "Digest": "sha1:8e2cd7246c7dce09d4590affab6060ec527397c1" }, { "ID": "uvicorn@0.31.1", "Name": "uvicorn", "Identifier": { "PURL": "pkg:pypi/uvicorn@0.31.1", "UID": "beddddae65f666d5", "BOMRef": "pkg:pypi/uvicorn@0.31.1" }, "Version": "0.31.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/uvicorn-0.31.1.dist-info/METADATA", "Digest": "sha1:d229686a1d0f8b25bbb3ca0ab3b5519a37abc2b2" }, { "ID": "uvloop@0.21.0", "Name": "uvloop", "Identifier": { "PURL": "pkg:pypi/uvloop@0.21.0", "UID": "c8aae55a98170e1", "BOMRef": "pkg:pypi/uvloop@0.21.0" }, "Version": "0.21.0", "Licenses": [ "Apache-2.0", "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/uvloop-0.21.0.dist-info/METADATA", "Digest": "sha1:eecfee7932b6d8397d72414b9a42e8b34c4dcbe7" }, { "ID": "websockets@13.1", "Name": "websockets", "Identifier": { "PURL": "pkg:pypi/websockets@13.1", "UID": "7b0bb54ea2c27224", "BOMRef": "pkg:pypi/websockets@13.1" }, "Version": "13.1", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/websockets-13.1.dist-info/METADATA", "Digest": "sha1:80e98547de82071ab76c7d16af0a96947a7e558a" }, { "ID": "wrapt@1.17.3", "Name": "wrapt", "Identifier": { "PURL": "pkg:pypi/wrapt@1.17.3", "UID": "da07bafabe37940d", "BOMRef": "pkg:pypi/wrapt@1.17.3" }, "Version": "1.17.3", "Licenses": [ "BSD-3-Clause" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/wrapt-1.17.3.dist-info/METADATA", "Digest": "sha1:dbb2682fa0ce1b88bad298721b69b9263a689653" }, { "ID": "xmltodict@1.0.2", "Name": "xmltodict", "Identifier": { "PURL": "pkg:pypi/xmltodict@1.0.2", "UID": "f84635d1c0b9270a", "BOMRef": "pkg:pypi/xmltodict@1.0.2" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/xmltodict-1.0.2.dist-info/METADATA", "Digest": "sha1:12598af0f119ea10de66172e206d3394d7652bfd" }, { "ID": "yarl@1.22.0", "Name": "yarl", "Identifier": { "PURL": "pkg:pypi/yarl@1.22.0", "UID": "21c27aa7163f510e", "BOMRef": "pkg:pypi/yarl@1.22.0" }, "Version": "1.22.0", "Licenses": [ "Apache-2.0" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/yarl-1.22.0.dist-info/METADATA", "Digest": "sha1:f41ac3bd0464e5ad45fa596ed3de6fc69d98568d" }, { "ID": "zipp@3.23.0", "Name": "zipp", "Identifier": { "PURL": "pkg:pypi/zipp@3.23.0", "UID": "963a6311dc170b62", "BOMRef": "pkg:pypi/zipp@3.23.0" }, "Version": "3.23.0", "Licenses": [ "MIT" ], "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "FilePath": "usr/lib/python3.13/site-packages/zipp-3.23.0.dist-info/METADATA", "Digest": "sha1:d7974cc6cd5ace30ae2bf7e89ed458fc7e46a194" } ], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2026-32597", "VendorIDs": [ "GHSA-752w-5fwx-jx9f" ], "PkgID": "PyJWT@2.10.1", "PkgName": "PyJWT", "PkgPath": "usr/lib/python3.13/site-packages/PyJWT-2.10.1.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/pyjwt@2.10.1", "UID": "ac325a6454c21e13", "BOMRef": "pkg:pypi/pyjwt@2.10.1" }, "InstalledVersion": "2.10.1", "FixedVersion": "2.12.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-32597", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:323bb010b2576f5d379e9c36fddf2b61e386778045670c235e9b108a63b1dd14", "Title": "pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)", "Description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "Severity": "HIGH", "CweIDs": [ "CWE-345", "CWE-863" ], "VendorSeverity": { "amazon": 2, "ghsa": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-32597", "https://github.com/jpadilla/pyjwt", "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f", "https://nvd.nist.gov/vuln/detail/CVE-2026-32597", "https://ubuntu.com/security/notices/USN-8133-1", "https://www.cve.org/CVERecord?id=CVE-2026-32597" ], "PublishedDate": "2026-03-13T19:55:09.5Z", "LastModifiedDate": "2026-03-19T13:30:29.217Z" }, { "VulnerabilityID": "CVE-2026-4539", "VendorIDs": [ "GHSA-5239-wwwm-4pmq" ], "PkgID": "Pygments@2.19.2", "PkgName": "Pygments", "PkgPath": "usr/lib/python3.13/site-packages/pygments-2.19.2.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/pygments@2.19.2", "UID": "3193c3af3c7f6855", "BOMRef": "pkg:pypi/pygments@2.19.2" }, "InstalledVersion": "2.19.2", "FixedVersion": "2.20.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-4539", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:ebde05e4d8dcd73a17075046f3361dd78663645fafd33c8dceda93495fbf43d3", "Title": "pygments: Pygments: Denial of Service via inefficient regular expression processing in AdlLexer", "Description": "A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.", "Severity": "LOW", "CweIDs": [ "CWE-400", "CWE-1333" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "V3Score": 3.3, "V40Score": 1.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-4539", "https://github.com/pygments/pygments", "https://github.com/pygments/pygments/", "https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc", "https://github.com/pygments/pygments/issues/3058", "https://github.com/pygments/pygments/pull/3064", "https://github.com/pygments/pygments/releases/tag/2.20.0", "https://nvd.nist.gov/vuln/detail/CVE-2026-4539", "https://vuldb.com/?ctiid.352327", "https://vuldb.com/?id.352327", "https://vuldb.com/?submit.774685", "https://www.cve.org/CVERecord?id=CVE-2026-4539" ], "PublishedDate": "2026-03-22T06:16:20.913Z", "LastModifiedDate": "2026-03-23T14:31:37.267Z" }, { "VulnerabilityID": "CVE-2026-27199", "VendorIDs": [ "GHSA-29vq-49wr-vm6x" ], "PkgID": "Werkzeug@3.1.5", "PkgName": "Werkzeug", "PkgPath": "usr/lib/python3.13/site-packages/werkzeug-3.1.5.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/werkzeug@3.1.5", "UID": "939d3e12cfb033cb", "BOMRef": "pkg:pypi/werkzeug@3.1.5" }, "InstalledVersion": "3.1.5", "FixedVersion": "3.1.6", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27199", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:b74093257aea6d80fffd3b934cf4c8a45ed926648e9620a2b9f1051e92cbc088", "Title": " Werkzeug safe_join() allows Windows special device names", "Description": "Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been fixed in version 3.1.6.", "Severity": "MEDIUM", "CweIDs": [ "CWE-67" ], "VendorSeverity": { "ghsa": 2, "nvd": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://github.com/pallets/werkzeug", "https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d", "https://github.com/pallets/werkzeug/releases/tag/3.1.6", "https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x", "https://nvd.nist.gov/vuln/detail/CVE-2026-27199" ], "PublishedDate": "2026-02-21T06:17:00.71Z", "LastModifiedDate": "2026-03-03T17:30:17.783Z" }, { "VulnerabilityID": "CVE-2026-22815", "VendorIDs": [ "GHSA-w2fm-2cpv-w7v5" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-22815", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:e297cb5a8fd78db1e9ad3bb29c1a40a1df63eabccc96ee4b5deb56e6c856a4ab", "Title": "aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400", "CWE-770" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V40Score": 6.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-22815", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5", "https://nvd.nist.gov/vuln/detail/CVE-2026-22815", "https://www.cve.org/CVERecord?id=CVE-2026-22815" ], "PublishedDate": "2026-04-01T21:16:58.513Z", "LastModifiedDate": "2026-04-04T04:17:11.5Z" }, { "VulnerabilityID": "CVE-2026-34515", "VendorIDs": [ "GHSA-p998-jp59-783m" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34515", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:aa0ff32af4423f451a9b5ca9ffda6e685d476c23cfcad9f23218d016963c6ee4", "Title": "aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.", "Severity": "MEDIUM", "CweIDs": [ "CWE-36", "CWE-918" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 6.6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34515", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m", "https://nvd.nist.gov/vuln/detail/CVE-2026-34515", "https://www.cve.org/CVERecord?id=CVE-2026-34515" ], "PublishedDate": "2026-04-01T21:16:59.57Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34516", "VendorIDs": [ "GHSA-m5qp-6w8w-w647" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34516", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:866e8a4d5186c80beaf50090938ccce515a3aaa37fd8a0f3288f6eb882018131", "Title": "aiohttp: AIOHTTP: Denial of Service via excessive multipart headers", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.", "Severity": "MEDIUM", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "V40Score": 6.6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34516", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647", "https://nvd.nist.gov/vuln/detail/CVE-2026-34516", "https://www.cve.org/CVERecord?id=CVE-2026-34516" ], "PublishedDate": "2026-04-01T21:16:59.723Z", "LastModifiedDate": "2026-04-04T04:17:20.147Z" }, { "VulnerabilityID": "CVE-2026-34525", "VendorIDs": [ "GHSA-c427-h43c-vf67" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34525", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:e84f570f991af8f81da0073310141adbbe376c44e2bb855e226ffeb8826b2695", "Title": "aiohttp: aiohttp: Security bypass via multiple Host headers", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20", "CWE-444" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "V40Score": 6.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "V3Score": 5.4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34525", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000", "https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67", "https://nvd.nist.gov/vuln/detail/CVE-2026-34525", "https://www.cve.org/CVERecord?id=CVE-2026-34525" ], "PublishedDate": "2026-04-01T21:17:00.49Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34513", "VendorIDs": [ "GHSA-hcc4-c3v8-rx92" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34513", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:96526097b9e565fbcbf5ef8c916c84641b20edb5fca07d11d43577d13d9175e1", "Title": "aiohttp: AIOHTTP: Denial of Service due to unbounded DNS cache", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34513", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92", "https://nvd.nist.gov/vuln/detail/CVE-2026-34513", "https://www.cve.org/CVERecord?id=CVE-2026-34513" ], "PublishedDate": "2026-04-01T21:16:59.267Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34514", "VendorIDs": [ "GHSA-2vrm-gr82-f7m5" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34514", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:e702c6a7f468a334f650f8b9550cb73a6231ea5b2f4a9cfd8d21e0428e1a106a", "Title": "aiohttp: AIOHTTP: Header Injection via content_type parameter manipulation", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-113" ], "VendorSeverity": { "ghsa": 1, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34514", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5", "https://nvd.nist.gov/vuln/detail/CVE-2026-34514", "https://www.cve.org/CVERecord?id=CVE-2026-34514" ], "PublishedDate": "2026-04-01T21:16:59.417Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34517", "VendorIDs": [ "GHSA-3wq7-rqq7-wx6j" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34517", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:a54f789989605bca58808a5eb74e695bddcaf31106f6193215b12e8ab415dc30", "Title": "aiohttp: AIOHTTP: Denial of Service via large multipart form fields", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34517", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j", "https://nvd.nist.gov/vuln/detail/CVE-2026-34517", "https://www.cve.org/CVERecord?id=CVE-2026-34517" ], "PublishedDate": "2026-04-01T21:16:59.87Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34518", "VendorIDs": [ "GHSA-966j-vmvw-g2g9" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34518", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:17f8068b71428244ee87fc4bd501180d108baf2d9105f003b3bb86d35173ad70", "Title": "aiohttp: AIOHTTP: Information disclosure via retained Cookie and Proxy-Authorization headers during redirects", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-200" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34518", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9", "https://nvd.nist.gov/vuln/detail/CVE-2026-34518", "https://www.cve.org/CVERecord?id=CVE-2026-34518" ], "PublishedDate": "2026-04-01T21:17:00.02Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34519", "VendorIDs": [ "GHSA-mwh4-6h8g-pg8w" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34519", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:c677ff157a1bb25fab314b79823db49eca07785b4ab4ea1dd8c7d70fb78e8fe3", "Title": "aiohttp: aiohttp: Header injection vulnerability via reason parameter", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-113" ], "VendorSeverity": { "ghsa": 1, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34519", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w", "https://nvd.nist.gov/vuln/detail/CVE-2026-34519", "https://www.cve.org/CVERecord?id=CVE-2026-34519" ], "PublishedDate": "2026-04-01T21:17:00.17Z", "LastModifiedDate": "2026-04-03T16:10:52.68Z" }, { "VulnerabilityID": "CVE-2026-34520", "VendorIDs": [ "GHSA-63hf-3vf5-4wqf" ], "PkgID": "aiohttp@3.13.3", "PkgName": "aiohttp", "PkgPath": "usr/lib/python3.13/site-packages/aiohttp-3.13.3.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/aiohttp@3.13.3", "UID": "b80f9f12707df9ec", "BOMRef": "pkg:pypi/aiohttp@3.13.3" }, "InstalledVersion": "3.13.3", "FixedVersion": "3.13.4", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34520", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:0770c420fed18efd646b9b1025c31ad6b249ef4b7310b4e44012f102049b74b9", "Title": "aiohttp: AIOHTTP: Header injection vulnerability due to improper character handling", "Description": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.", "Severity": "LOW", "CweIDs": [ "CWE-113" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 2.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34520", "https://github.com/aio-libs/aiohttp", "https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4", "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf", "https://nvd.nist.gov/vuln/detail/CVE-2026-34520", "https://www.cve.org/CVERecord?id=CVE-2026-34520" ], "PublishedDate": "2026-04-01T21:17:00.333Z", "LastModifiedDate": "2026-04-04T04:17:20.773Z" }, { "VulnerabilityID": "CVE-2026-26007", "VendorIDs": [ "GHSA-r6ph-v2qm-q3c2" ], "PkgID": "cryptography@44.0.1", "PkgName": "cryptography", "PkgPath": "usr/lib/python3.13/site-packages/cryptography-44.0.1.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/cryptography@44.0.1", "UID": "b2f6b22b39d220d0", "BOMRef": "pkg:pypi/cryptography@44.0.1" }, "InstalledVersion": "44.0.1", "FixedVersion": "46.0.5", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-26007", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:59598b9c8996610654c3b867f4c5eda7fe99ac2e387ebb068c981cb72d98d867", "Title": "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves", "Description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor \u003e 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.", "Severity": "HIGH", "CweIDs": [ "CWE-345" ], "VendorSeverity": { "azure": 3, "ghsa": 3, "nvd": 2, "redhat": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "V40Score": 8.2 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 7.4 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/02/10/4", "https://access.redhat.com/security/cve/CVE-2026-26007", "https://github.com/pyca/cryptography", "https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c", "https://github.com/pyca/cryptography/releases/tag/46.0.5", "https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2", "https://nvd.nist.gov/vuln/detail/CVE-2026-26007", "https://ubuntu.com/security/notices/USN-8087-1", "https://www.cve.org/CVERecord?id=CVE-2026-26007" ], "PublishedDate": "2026-02-10T22:17:00.307Z", "LastModifiedDate": "2026-02-23T15:40:33.787Z" }, { "VulnerabilityID": "CVE-2026-34073", "VendorIDs": [ "GHSA-m959-cc7f-wv43" ], "PkgID": "cryptography@44.0.1", "PkgName": "cryptography", "PkgPath": "usr/lib/python3.13/site-packages/cryptography-44.0.1.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/cryptography@44.0.1", "UID": "b2f6b22b39d220d0", "BOMRef": "pkg:pypi/cryptography@44.0.1" }, "InstalledVersion": "44.0.1", "FixedVersion": "46.0.6", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-34073", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:226ad6022a88accfdccf5a169731bd617b5b1a38e5b2239d2c219f40d95125fb", "Title": "cryptography: python: Cryptography: Security bypass due to improper DNS name constraint validation", "Description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.", "Severity": "LOW", "CweIDs": [ "CWE-295" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", "V40Score": 1.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-34073", "https://github.com/pyca/cryptography", "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43", "https://nvd.nist.gov/vuln/detail/CVE-2026-34073", "https://www.cve.org/CVERecord?id=CVE-2026-34073" ], "PublishedDate": "2026-03-31T03:15:59.123Z", "LastModifiedDate": "2026-04-01T14:24:02.583Z" }, { "VulnerabilityID": "CVE-2026-2473", "VendorIDs": [ "GHSA-wh2j-26j7-9728" ], "PkgID": "google-cloud-aiplatform@1.47.0", "PkgName": "google-cloud-aiplatform", "PkgPath": "usr/lib/python3.13/site-packages/google_cloud_aiplatform-1.47.0.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/google-cloud-aiplatform@1.47.0", "UID": "4eab7949b47e74b", "BOMRef": "pkg:pypi/google-cloud-aiplatform@1.47.0" }, "InstalledVersion": "1.47.0", "FixedVersion": "1.133.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2473", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:d552af1d63c72cc623d0eb7289c20fbc99f13b25e45928c6d4f99fb00db07ad1", "Title": "Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming", "Description": "Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).\n\nThis vulnerability was patched and no customer action is needed.", "Severity": "HIGH", "CweIDs": [ "CWE-340" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", "V40Score": 7.7 } }, "References": [ "https://docs.cloud.google.com/support/bulletins#gcp-2026-012", "https://github.com/googleapis/python-aiplatform", "https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0", "https://nvd.nist.gov/vuln/detail/CVE-2026-2473" ], "PublishedDate": "2026-02-20T20:25:24.497Z", "LastModifiedDate": "2026-02-23T18:14:13.887Z" }, { "VulnerabilityID": "CVE-2026-35030", "VendorIDs": [ "GHSA-jjhc-v7c2-5hh6" ], "PkgID": "litellm@1.80.15", "PkgName": "litellm", "PkgPath": "usr/lib/python3.13/site-packages/litellm-1.80.15.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/litellm@1.80.15", "UID": "5e02ef4e816b42f8", "BOMRef": "pkg:pypi/litellm@1.80.15" }, "InstalledVersion": "1.80.15", "FixedVersion": "1.83.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-35030", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:516c5899e4419c22282755e4e5aa22797dd40231d575302afbb189ca000e02d7", "Title": "LiteLLM: Authentication bypass via OIDC userinfo cache key collision", "Description": "### Impact\n\nWhen JWT authentication is enabled (`enable_jwt_auth: true`), the OIDC userinfo cache uses `token[:20]` as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.\n\nThis configuration option is not enabled by default. **Most instances are not affected.**\n\nAn unauthenticated attacker can craft a token whose first 20 characters match a legitimate user's cached token. On cache hit, the attacker inherits the legitimate user's identity and permissions. This affects deployments with JWT/OIDC authentication enabled.\n\n### Patches\n\nFixed in v1.83.0. The cache key now uses the full hash of the JWT token.\n\n### Workarounds\n\nDisable OIDC userinfo caching by setting the cache TTL to 0, or disable JWT authentication entirely.", "Severity": "CRITICAL", "VendorSeverity": { "ghsa": 4 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "V40Score": 9.4 } }, "References": [ "https://github.com/BerriAI/litellm", "https://github.com/BerriAI/litellm/security/advisories/GHSA-jjhc-v7c2-5hh6" ] }, { "VulnerabilityID": "CVE-2026-35029", "VendorIDs": [ "GHSA-53mr-6c8q-9789" ], "PkgID": "litellm@1.80.15", "PkgName": "litellm", "PkgPath": "usr/lib/python3.13/site-packages/litellm-1.80.15.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/litellm@1.80.15", "UID": "5e02ef4e816b42f8", "BOMRef": "pkg:pypi/litellm@1.80.15" }, "InstalledVersion": "1.80.15", "FixedVersion": "1.83.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-35029", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:d85e85b9230a921a5a7eb3ec617ae3ac15cabd3634b1716a33cfa6aecdd2d385", "Title": "LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint", "Description": "### Impact\n\nThe `/config/update endpoint` does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following:\n\n - Modify proxy configuration and environment variables\n - Register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution\n - Read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image\n - Take over other priveleged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables\n\n### Patches\n\nFixed in v1.83.0. The endpoint now requires `proxy_admin` role.\n\n### Workarounds\n\nRestrict API key distribution. There is no configuration-level workaround.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N", "V40Score": 8.7 } }, "References": [ "https://github.com/BerriAI/litellm", "https://github.com/BerriAI/litellm/security/advisories/GHSA-53mr-6c8q-9789" ] }, { "VulnerabilityID": "CVE-2025-67221", "VendorIDs": [ "GHSA-hx9q-6w63-j58v" ], "PkgID": "orjson@3.11.2", "PkgName": "orjson", "PkgPath": "usr/lib/python3.13/site-packages/orjson-3.11.2.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/orjson@3.11.2", "UID": "ea6affccb9564162", "BOMRef": "pkg:pypi/orjson@3.11.2" }, "InstalledVersion": "3.11.2", "FixedVersion": "3.11.6", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-67221", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:cd210466de72f773215aa2ebbe00b435ba0e3408c08fde07b478d71b07d32f33", "Title": "orjson: orjson: Denial of Service due to unbounded recursion with deeply nested JSON documents", "Description": "The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.", "Severity": "HIGH", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "V40Score": 7.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-67221", "https://github.com/ijl/orjson", "https://github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370", "https://github.com/ijl/orjson/issues/620", "https://github.com/kpatsakis/CVE-2025-67221/issues/1", "https://github.com/kpatsakis/orjson_vulnerability", "https://nvd.nist.gov/vuln/detail/CVE-2025-67221", "https://www.cve.org/CVERecord?id=CVE-2025-67221" ], "PublishedDate": "2026-01-22T17:16:01.433Z", "LastModifiedDate": "2026-02-12T15:03:09.79Z" }, { "VulnerabilityID": "CVE-2026-25990", "VendorIDs": [ "GHSA-cfh3-3jmp-rvhc" ], "PkgID": "pillow@11.0.0", "PkgName": "pillow", "PkgPath": "usr/lib/python3.13/site-packages/pillow-11.0.0.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/pillow@11.0.0", "UID": "36fd427c3e790091", "BOMRef": "pkg:pypi/pillow@11.0.0" }, "InstalledVersion": "11.0.0", "FixedVersion": "12.1.1", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25990", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:46d7f0de8fa4e904ad55e3d74d736d68302410aca15bcf663e5490b24e1bbe96", "Title": "pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image", "Description": "Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.", "Severity": "HIGH", "CweIDs": [ "CWE-787" ], "VendorSeverity": { "amazon": 3, "bitnami": 3, "ghsa": 3, "nvd": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "bitnami": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "V40Score": 8.9 }, "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "V40Score": 8.9 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "V3Score": 7.3 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/02/12/1", "https://access.redhat.com/security/cve/CVE-2026-25990", "https://github.com/python-pillow/Pillow", "https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199", "https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa", "https://github.com/python-pillow/Pillow/pull/9427", "https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc", "https://nvd.nist.gov/vuln/detail/CVE-2026-25990", "https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html", "https://ubuntu.com/security/notices/USN-8047-1", "https://www.cve.org/CVERecord?id=CVE-2026-25990" ], "PublishedDate": "2026-02-11T21:16:20.67Z", "LastModifiedDate": "2026-02-13T21:32:55.623Z" }, { "VulnerabilityID": "CVE-2026-0994", "VendorIDs": [ "GHSA-7gcm-g887-7qv7" ], "PkgID": "protobuf@4.25.8", "PkgName": "protobuf", "PkgPath": "usr/lib/python3.13/site-packages/protobuf-4.25.8.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/protobuf@4.25.8", "UID": "bc81518b197f0898", "BOMRef": "pkg:pypi/protobuf@4.25.8" }, "InstalledVersion": "4.25.8", "FixedVersion": "6.33.5, 5.29.6", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-0994", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:a5bdc0f8869eedfd51b58216434d7b9ddb35c32b004f8ab19abfd95f0bc1f411", "Title": "python: protobuf: Protobuf: Denial of Service due to recursion depth bypass", "Description": "A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.", "Severity": "HIGH", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "alma": 3, "amazon": 3, "azure": 3, "cbl-mariner": 3, "ghsa": 3, "oracle-oval": 3, "redhat": 3, "rocky": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "V40Score": 8.2 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:3095", "https://access.redhat.com/security/cve/CVE-2026-0994", "https://bugzilla.redhat.com/2432398", "https://bugzilla.redhat.com/show_bug.cgi?id=2432398", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0994", "https://errata.almalinux.org/9/ALSA-2026-3095.html", "https://errata.rockylinux.org/RLSA-2026:3095", "https://github.com/protocolbuffers/protobuf", "https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf", "https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b", "https://github.com/protocolbuffers/protobuf/issues/25070", "https://github.com/protocolbuffers/protobuf/pull/25239", "https://github.com/protocolbuffers/protobuf/pull/25586 (33.x)", "https://github.com/protocolbuffers/protobuf/pull/25587 (29.x)", "https://linux.oracle.com/cve/CVE-2026-0994.html", "https://linux.oracle.com/errata/ELSA-2026-3095.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-0994", "https://ubuntu.com/security/notices/USN-8063-1", "https://www.cve.org/CVERecord?id=CVE-2026-0994" ], "PublishedDate": "2026-01-23T15:16:06.84Z", "LastModifiedDate": "2026-01-26T15:03:51.687Z" }, { "VulnerabilityID": "CVE-2026-30922", "VendorIDs": [ "GHSA-jr27-m4p2-rc6r" ], "PkgID": "pyasn1@0.6.2", "PkgName": "pyasn1", "PkgPath": "usr/lib/python3.13/site-packages/pyasn1-0.6.2.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/pyasn1@0.6.2", "UID": "d1b951d709ff6e13", "BOMRef": "pkg:pypi/pyasn1@0.6.2" }, "InstalledVersion": "0.6.2", "FixedVersion": "0.6.3", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-30922", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:c8b01b67777a21a211fe112adb623397adbfa193f38a4aca319365ee454edac6", "Title": "pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion", "Description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.", "Severity": "HIGH", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "amazon": 2, "cbl-mariner": 3, "ghsa": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "http://www.openwall.com/lists/oss-security/2026/03/20/4", "https://access.redhat.com/security/cve/CVE-2026-30922", "https://github.com/pyasn1/pyasn1", "https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0", "https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8", "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3", "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r", "https://nvd.nist.gov/vuln/detail/CVE-2026-30922", "https://ubuntu.com/security/notices/USN-8129-1", "https://ubuntu.com/security/notices/USN-8134-1", "https://www.cve.org/CVERecord?id=CVE-2026-30922" ], "PublishedDate": "2026-03-18T04:17:18.397Z", "LastModifiedDate": "2026-03-21T01:17:06.36Z" }, { "VulnerabilityID": "CVE-2026-24486", "VendorIDs": [ "GHSA-wp53-j4wj-2cfg" ], "PkgID": "python-multipart@0.0.18", "PkgName": "python-multipart", "PkgPath": "usr/lib/python3.13/site-packages/python_multipart-0.0.18.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/python-multipart@0.0.18", "UID": "cba16e9ef8993539", "BOMRef": "pkg:pypi/python-multipart@0.0.18" }, "InstalledVersion": "0.0.18", "FixedVersion": "0.0.22", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24486", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:18d1efb4658c002fef21517997c295a7a3236beeaa876f937ecef41415378a25", "Title": "python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability", "Description": "Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.", "Severity": "HIGH", "CweIDs": [ "CWE-22" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3, "ubuntu": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "V3Score": 8.6 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "V3Score": 8.6 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-24486", "https://github.com/Kludex/python-multipart", "https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4", "https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 (0.0.22)", "https://github.com/Kludex/python-multipart/releases/tag/0.0.22", "https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg", "https://nvd.nist.gov/vuln/detail/CVE-2026-24486", "https://ubuntu.com/security/notices/USN-8027-1", "https://www.cve.org/CVERecord?id=CVE-2026-24486" ], "PublishedDate": "2026-01-27T01:16:02.303Z", "LastModifiedDate": "2026-02-17T20:44:50.21Z" }, { "VulnerabilityID": "CVE-2026-25645", "VendorIDs": [ "GHSA-gc5v-m9x4-r6x2" ], "PkgID": "requests@2.32.5", "PkgName": "requests", "PkgPath": "usr/lib/python3.13/site-packages/requests-2.32.5.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/requests@2.32.5", "UID": "f995aa66547e2f44", "BOMRef": "pkg:pypi/requests@2.32.5" }, "InstalledVersion": "2.32.5", "FixedVersion": "2.33.0", "Status": "fixed", "Layer": { "Digest": "sha256:c8f9b0b5c0e37f05c8bd46cce82f9d74ef68cf008e1e88e1efb6afcfd0025da8", "DiffID": "sha256:9ffcf760538a3df23606911d56bf722a41ef63f484690954ca37a651af4f3c85" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25645", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:2b3005b07dc5a6b7e5412ddcf35545abddc5483e79b217a7af964879fbbeb4d4", "Title": "requests: Requests: Security bypass due to predictable temporary file creation", "Description": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.", "Severity": "MEDIUM", "CweIDs": [ "CWE-377" ], "VendorSeverity": { "ghsa": 2, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "V3Score": 4.4 }, "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "V3Score": 4.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-25645", "https://github.com/psf/requests", "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", "https://github.com/psf/requests/releases/tag/v2.33.0", "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", "https://nvd.nist.gov/vuln/detail/CVE-2026-25645", "https://www.cve.org/CVERecord?id=CVE-2026-25645" ], "PublishedDate": "2026-03-25T17:16:52.97Z", "LastModifiedDate": "2026-03-30T14:23:16.127Z" }, { "VulnerabilityID": "CVE-2026-31958", "VendorIDs": [ "GHSA-qjxf-f2mg-c6mc" ], "PkgID": "tornado@6.5.4", "PkgName": "tornado", "PkgPath": "usr/lib/python3.13/site-packages/tornado-6.5.4.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/tornado@6.5.4", "UID": "2781bc31fadeaaa9", "BOMRef": "pkg:pypi/tornado@6.5.4" }, "InstalledVersion": "6.5.4", "FixedVersion": "6.5.5", "Status": "fixed", "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-31958", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:10b5831ac0a0f1c5feae09fe9ece4ce967a81416be39c47bd967452119025f77", "Title": "tornado-python: Tornado: Denial of Service via large multipart bodies", "Description": "Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.", "Severity": "HIGH", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "amazon": 3, "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-31958", "https://github.com/tornadoweb/tornado", "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839", "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc", "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html", "https://nvd.nist.gov/vuln/detail/CVE-2026-31958", "https://www.cve.org/CVERecord?id=CVE-2026-31958" ], "PublishedDate": "2026-03-11T20:16:16.617Z", "LastModifiedDate": "2026-04-01T15:23:00.217Z" }, { "VulnerabilityID": "GHSA-78cv-mqj4-43f7", "PkgID": "tornado@6.5.4", "PkgName": "tornado", "PkgPath": "usr/lib/python3.13/site-packages/tornado-6.5.4.dist-info/METADATA", "PkgIdentifier": { "PURL": "pkg:pypi/tornado@6.5.4", "UID": "2781bc31fadeaaa9", "BOMRef": "pkg:pypi/tornado@6.5.4" }, "InstalledVersion": "6.5.4", "FixedVersion": "6.5.5", "Status": "fixed", "Layer": { "Digest": "sha256:568cf0839c2e5c5706101dd3eb417332f95377002f5c2ac7edf7be4b4fc1e32b", "DiffID": "sha256:b667b36a7cbb543a2e773320ce0bb6938352eca67219e48928d269a81515b90a" }, "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-78cv-mqj4-43f7", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Fingerprint": "sha256:f1ac92fd089dcd90594868f05741f3d0f04d06b7805421f130ef6c9c03c5ab43", "Title": "Tornado has incomplete validation of cookie attributes", "Description": "Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.", "Severity": "MEDIUM", "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "V3Score": 5.4 } }, "References": [ "https://github.com/tornadoweb/tornado", "https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104", "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7" ], "PublishedDate": "2026-03-11T22:17:00Z", "LastModifiedDate": "2026-03-11T22:17:00Z" } ] } ] }